Re: error: format not a string literal and no format arguments

From: Colin Walters <walters redhat com>
To: Alexander Jones <alex weej com>
Cc: desktop-devel-list <desktop-devel-list gnome org>
Subject: Re: error: format not a string literal and no format arguments
Date: Sun, 06 Jul 2008 10:10:57 -0400

On Sun, 2008-07-06 at 09:49 -0400, Colin Walters wrote:
> On Sun, 2008-07-06 at 02:40 +0100, Alexander Jones wrote:
> 
> > Yeah, I could just use -Wleave-me-alone-ffs or something, but it's
> > probably worth considering this properly.
> 
> No, it should be a hard-stop error because in many instances it's a
> security flaw if the input string is in any way controlled by a
> potential attacker:
> http://en.wikipedia.org/wiki/Format_string_vulnerabilities

For what it's worth I just fixed the ones I saw in the rhythmbox
code. 

>From a quick evaluation I didn't see any that were obviously controlled
by a potential attacker (e.g. downloaded filenames, network input), but
I'm less sure that the strings couldn't have format specifiers in them
and likely that would be a segfault at least.

References:
- error: format not a string literal and no format arguments
  - From: Alexander Jones
- Re: error: format not a string literal and no format arguments
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]