On Thu, 28 Jul 2011 08:06:51 -0700, Paul Eggert wrote:
On 07/28/11 07:44, Daniel Macks wrote:
> printf(foo);
> > is considered a potential security risk if foo is a variable
rather than a simple quoted string. The solution is to do:
> > printf("%s", foo);
I'm afraid this bug report is rather vague; without knowing the
details of which printf call we're talking about, there's not
much we can do. Certainly there are some calls to printf-like
functions where the above transformation would break things,
as FOO is supposed to be a format.
The warning is only when foo really winds up as a simple string and not
a format-string with %X that are replaced by subsequent parameters.
Does this list like .patch attachments, or pasted directly into the
email body, or...?
dan
--
Daniel Macks
[email protected]
