Gilles Espinasse wrote:
> Remove the code hack preventing format-zero-length warning and replace by a
> pragma GCC diagnostic ignored in top of code.
This patch is not good, because the warning "zero-length format string"
exists at least since GCC 3.1, however
'#pragma GCC diagnostic ignored "-Wformat-zero-length"' works only in
GCC >= 4.2.
The current code, or the simpler test case
==========================
#include <stdio.h>
int main ()
{
const char *empty = "";
printf (empty);
return 0;
}
==========================
compiles without warnings with "gcc -Wall" with all versions up to 4.7.0.
> With gcc-4.4.5 patched with defaults-format-security.patch, coreutils emit
> test-xvasprintf.c: In function 'test_xasprintf':
> test-xvasprintf.c:98: warning: format not a string literal and no format
> arguments
I think this warning is not well thought out. From a security point of
view, passing a string that is not a string literal is the dangerous point
to warn about. Whereas a warning for 0 arguments but no warning for 1 or more
arguments is just a heuristic to catch mistakes done by beginners.
So, the warning "format not a string literal and no format arguments" or,
more generally "format with no format arguments", is a *style* warning,
not a *security* warning.
For the security warning, you should use "format not a string literal"
and do a data flow analysis so as to avoid warnings in
printf (signed ? "%d" : "%u", arg);
or
const char *f;
if (signed) f = "%d"; else f = "%u";
printf (f, atrg);
or
printf (gettext ("bar %d"), arg);
Bruno
