|
From: | Daniel Macks |
Subject: | Re: [Bug-tar] Format-string warnings in 1.26 |
Date: | Thu, 28 Jul 2011 11:20:09 -0400 |
User-agent: | Webmail 6.0 |
On Thu, 28 Jul 2011 08:06:51 -0700, Paul Eggert wrote: On 07/28/11 07:44, Daniel Macks wrote:
> printf(foo);> > is considered a potential security risk if foo is a variable rather than a simple quoted string. The solution is to do:> > printf("%s", foo); I'm afraid this bug report is rather vague; without knowing the details of which printf call we're talking about, there's not much we can do. Certainly there are some calls to printf-like functions where the above transformation would break things,as FOO is supposed to be a format.
The warning is only when foo really winds up as a simple string and not a format-string with %X that are replaced by subsequent parameters. Does this list like .patch attachments, or pasted directly into the email body, or...?
dan -- Daniel Macks address@hidden
[Prev in Thread] | Current Thread | [Next in Thread] |