Hi Theo,
Theo de Raadt wrote on Fri, Nov 17, 2017 at 11:59:47AM -0700:
> how should this work and what would be the best direction
The following two aspects provide no clear guidance what is better:
1. Both printing invalid bytes (in particular to terminals)
and losing information that was intended to be printed
can be dangerous.
2. My brief look into the ports tree indicates that, while
this is used a lot, people hardly ever check for any kind
of failure or invalid data.
Consequently, it may be best to follow what other system do such
that we at least get the unintended application program behaviour
in the same places, whatever the standards may say.
Even if not much pre-ANSI-C code should be left today, it seems
that most people intuitively expect the format string to be a
byte string rather than a multibyte cheracter string, so it is
likely that new code was written post-ANSI-C and even post C99
that assumes the format string can contain arbitrary bytes.
Conversely, while the look at the ports tree seems to indicate that
many people do (unintentionally?) rely on *printf(3) for the
validation of their variable format strings, as long as they don't
check for errors, neither of the options is clearly better than
the other in that respect.
So i withdraw my objection to the patch.
Yours,
Ingo
