On 2018-12-28 11:08 p.m., Bruno Haible wrote:
[CCing Florian Weimer.
Florian, the thread started at
https://lists.gnu.org/archive/html/bug-gnulib/2018-12/msg00149.html ]

Assaf Gordon wrote:
The comment even says:
        /* Unknown format; output the format, including the '%',
           since this is most likely the right thing to do if a
           multibyte string has been misparsed.  */

This has been the case since 1996 when strftime.c was imported from libc
(gnulib commit afabd949).

I suspect that changing this behavior would be a disruptive
backwards-incompatible change (but other opinions are welcomed).

The "security" and "robustness" aspects of software have gained importance
over the last 22 years, also in domain of glibc.

Florian, Assaf discovered that glibc processing of time format strings
(strftime) operates according to the garbage-in - garbage-out principle,
that is, an invalid format string does not get reported to the caller
but instead produces output that is "most likely the right thing".

Is this still considered the adequate processing, from a glibc point of

For reference, this is about ./time/strftime_l.c lines 1414-1428:


Also, POSIX says:
"If a conversion specification does not correspond to any of the above, the behavior is undefined."

Looking at the "bigger picture",
I'll just say my goal is to provide a helpful warning in date(1),
not to change any APIs...

 - assaf

Reply via email to