Junio C Hamano <[email protected]> writes: > Stefan Beller <[email protected]> writes: > >> Compared to the last send of this patch[1], there was one change in the print >> function. Replaced sprintf by snprintf for security reasons. > > Careful. I despise people who blindly think strlcpy() and > snprintf() are good solutions for for security. They are by > themselves not. > ... > So use of snprintf() is not really buying you much here, not in the > current code certainly, but not as a future-proofing measure, > either.
Don't get me wrong. I am not saying that using snprintf() here is bad per-se. There should be no difference. But I do not want to see people getting in the habit of thinking "I now use snprintf/strlcpy instead of sprintf/strcpy, and made my code more secure." Often they are not doing that. The only case snprintf/strlcpy is useful is when your data does not matter in its detail. E.g. when you are preparing human-readble data whose first part is sufficient to convey the information you want to convey, you would be perfectly happy if the result is truncated. In such a case, counting to allocate enough to hold everything and running sprintf() only to chop the result later is not necessary --- it still is not wrong, though --- and allocating enough to satisify the eventual chop length and using snprintf() is easier way to achieve the same result. But I do not think this codepath falls into such an "I am willing to lose data" case. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
