On Wed, 21 Feb 2018 09:57:49 +0100 Rasmus Villemoes <[email protected]> wrote:
> On 2018-02-21 01:02, Andrew Morton wrote: > > On Sat, 17 Feb 2018 16:06:42 +0200 Andy Shevchenko > > <[email protected]> wrote: > > > >> On Sat, Feb 17, 2018 at 9:20 AM, Alexey Dobriyan <[email protected]> > >> wrote: > >>> Signed-off-by: Alexey Dobriyan <[email protected]> > >> > >> > >>> - seq_printf(m, "%s", symname); > >>> + seq_puts(m, symname); > >> > >> While this might have no security concerns, the pattern might be > >> brainlessly used by some janitors and there would have security > >> implications. > > > > And I'd like to see a changelog, please. One which explains why > > `symname' cannot have a %s (etc) in it, and never will. > > OK, since #youtoo: It doesn't _matter_ if symname is "%pHAHAHA %fooled > you <unicode for evil grin emoji>", seq_puts does not interpret it at > all. There are _never_ security implications with the above replacement. > Sure, seq_printf(m, symname) would be bad, but that's not what is being > done. doh, OK, sorry. RTFP, Andrew.
