https://gcc.gnu.org/bugzilla/show_bug.cgi?id=124393
--- Comment #2 from Marco Meinardi <marcomeinardi01 at gmail dot com> ---
in the ubuntu/debian verions, it is enabled by default. I get the warning
without any additional compilation flag.
$ gcc --version
gcc (Ubuntu 13.3.0-6ubuntu2~24.04.1) 13.3.0
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ cat > fmt.c
#include<stdio.h>
int main() {
char buf[100];
fgets(buf, sizeof(buf), stdin);
printf(buf);
}
$ gcc -o fmt fmt.c
fmt.c: In function 'main':
fmt.c:5:16: warning: format not a string literal and no format arguments
[-Wformat-security]
5 | printf(buf);
| ^~~
