Grzegorz Jaskiewicz wrote:
On 2009-01-18, at 09:56, Peter Eisentraut wrote:
-Wformat-security warns about
printf(var);
but not about
printf(var, a);
I don't understand that; the crash or exploit potential is pretty much
the
same in both cases.
not at all. First case allows you to pass in var from outside, with
your, well crafted format strings. Please read more about subject,
before you say something that silly.
The point is that if "var" comes from an untrusted source, both forms
are just as dangerous.
I guess that in practice, the first form is more likely to be an oversight.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
