From: | Grzegorz Jaskiewicz <gj(at)pointblue(dot)com(dot)pl> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | pgsql-hackers Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Fixes for compiler warnings |
Date: | 2009-01-18 10:43:46 |
Message-ID: | C51B6AFA-9588-4823-80CD-53C5BD7AD88A@pointblue.com.pl |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 2009-01-18, at 09:56, Peter Eisentraut wrote:
> On Sunday 18 January 2009 08:28:51 Tom Lane wrote:
>> Yeah, the risk this is trying to guard against is variables
>> containing
>> "%" unexpectedly. Even if that's not possible, it requires some work
>> to verify and it's a bit fragile. I didn't look at the specific
>> cases
>> yet but in general I think this is a good policy.
>
> -Wformat-security warns about
>
> printf(var);
>
> but not about
>
> printf(var, a);
>
> I don't understand that; the crash or exploit potential is pretty
> much the
> same in both cases.
not at all. First case allows you to pass in var from outside, with
your, well crafted format strings. Please read more about subject,
before you say something that silly.
From | Date | Subject | |
---|---|---|---|
Next Message | Brendan Jurd | 2009-01-18 11:24:15 | Re: Meridiem markers (was: [BUGS] Incorrect "invalid AM/PM string" error from to_timestamp) |
Previous Message | Peter Eisentraut | 2009-01-18 09:56:51 | Re: Fixes for compiler warnings |