nickschermer at gmail.com
Fri Dec 26 14:30:11 CET 2008
2008/12/25 Brian J. Tarricone <bjt23 at cornell.edu>:
> To preface, gcc 4.3.2 here.
> On Thu, 25 Dec 2008 14:06:23 +0100 Nick Schermer wrote:
>> Did a bit of testing on some of the flags in the article and those
>> are a bit annoying:
Tho, my bad. There was a g_return_val_if_fail() above the line. I
should sometimes read better...
>> Makes g_strdup_printf (format, message); unusable (both variables).
>> Same for strftime related functions.
> Well, if "format" is a variable from an untrusted source (and not a
> string literal), I *do* want a warning thrown, as that could be a
> security vulnerability. If "format" is a variable with format
> specifiers constructed by the programmer, then yeah, that's annoying,
> but perhaps there's a better way to write that code that's less
> I guess possibly I could leave off -Wformat-nonliteral and replace it
> with -Wformat-security. It's not quite as safe -- you could still
> concat a fixed format string with something supplied by the user, and
> then supply a single extra argument to printf(), and it would be
> unsafe, but get by without a warning, but this is better than nothing.
-Wformat-security is already in the list and is triggered for all the printf
functions (ie the const gchar *format, ...). -Wformat-nonliteral
only 'breaks' strftime here, because i convert the utf-8 to the current locale.
And although the format is defined by the user I don't really see a security
problem here. (and with -Werror the compilation aborts).
More information about the Xfce4-dev