Re: error: format not a string literal and no format arguments
- From: Colin Walters <walters redhat com>
- To: Alexander Jones <alex weej com>
- Cc: desktop-devel-list <desktop-devel-list gnome org>
- Subject: Re: error: format not a string literal and no format arguments
- Date: Sun, 06 Jul 2008 10:10:57 -0400
On Sun, 2008-07-06 at 09:49 -0400, Colin Walters wrote:
> On Sun, 2008-07-06 at 02:40 +0100, Alexander Jones wrote:
>
> > Yeah, I could just use -Wleave-me-alone-ffs or something, but it's
> > probably worth considering this properly.
>
> No, it should be a hard-stop error because in many instances it's a
> security flaw if the input string is in any way controlled by a
> potential attacker:
> http://en.wikipedia.org/wiki/Format_string_vulnerabilities
For what it's worth I just fixed the ones I saw in the rhythmbox
code.
>From a quick evaluation I didn't see any that were obviously controlled
by a potential attacker (e.g. downloaded filenames, network input), but
I'm less sure that the strings couldn't have format specifiers in them
and likely that would be a segfault at least.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]