In response to a public outcry the strings program now defaults to using the

--all option which displays text from anywhere in the input file(s).  The
default used to be --data, which only displays text from loadable data sections,
but this requires the use of the BFD library.  Since the BFD library almost
certainly still contains buffer overrun and/or memory corruption bugs, and
since the strings program is often used to examine malicious code, it was
decided that the --data option option represents a possible security risk.

	* strings.c: Add new command line option --data to only scan the
	initialized, loadable data secions of binaries.  Choose the
	default behaviour of --all or --data based upon a configure
	option.
	* doc/binutils.texi (strings): Update documentation.  Include
	description  of why the --data option might be unsafe.
	* configure.ac: Add new option --disable-default-strings-all which
	restores the old behaviour of strings using --data by default.  If
	the option is not used make strings use --all by default.
	* NEWS: Mention the new behaviour of strings.
	* configure: Regenerate.
	* config.in: Regenerate.

1 files changed, 36 insertions, 10 deletions

diff --git a/binutils/doc/binutils.texi b/binutils/doc/binutils.texi
index 3874f25..eee77b1 100644
--- a/binutils/doc/binutils.texi
+++ b/binutils/doc/binutils.texi
@@ -2672,15 +2672,24 @@ strings [@option{-afovV}] [@option{-}@var{min-len}]
 
 @c man begin DESCRIPTION strings
 
-For each @var{file} given, @sc{gnu} @command{strings} prints the printable
-character sequences that are at least 4 characters long (or the number
-given with the options below) and are followed by an unprintable
-character.  By default, it only prints the strings from the initialized
-and loaded sections of object files; for other types of files, it prints
-the strings from the whole file.
+For each @var{file} given, @sc{gnu} @command{strings} prints the
+printable character sequences that are at least 4 characters long (or
+the number given with the options below) and are followed by an
+unprintable character.
 
-@command{strings} is mainly useful for determining the contents of non-text
-files.
+Depending upon how the strings program was configured it will default
+to either displaying all the printable sequences that it can find in
+each file, or only those sequences that are in loadable, initialized
+data sections.  If the file type in unrecognizable, or if strings is
+reading from stdin then it will always display all of the printable
+sequences that it can find.
+
+For backwards compatibility any file that occurs after a command line
+option of just @option{-} will also be scanned in full, regardless of
+the presence of any @option{-d} option. 
+
+@command{strings} is mainly useful for determining the contents of
+non-text files.
 
 @c man end
 
@@ -2690,8 +2699,25 @@ files.
 @item -a
 @itemx --all
 @itemx -
-Do not scan only the initialized and loaded sections of object files;
-scan the whole files.
+Scan the whole file, regardless of what sections it contains or
+whether those sections are loaded or initialized.  Normally this is
+the default behaviour, but strings can be configured so that the
+@option{-d} is the default instead.
+
+The @option{-} option is position dependent and forces strings to
+perform full scans of any file that is mentioned after the @option{-}
+on the command line, even if the @option{-d} option has been
+specified.
+
+@item -d
+@itemx --data
+Only print strings from initialized, loaded data sections in the
+file.  This may reduce the amount of garbage in the output, but it
+also exposes the strings program to any security flaws that may be
+present in the BFD library used to scan and load sections.  Strings
+can be configured so that this option is the default behaviour.  In
+such cases the @option{-a} option can be used to avoid using the BFD
+library and instead just print all of the strings found in the file.
 
 @item -f
 @itemx --print-file-name