Peter Eisentraut <pete...@gmx.net> writes: > You apparently have your compiler configured with -Wformat-security. Our > code > doesn't do that. I think the cases the warning complains about are fine and > the way the warning is designed is a bit bogus.
Hm, only a bit. You know, we've had precisely this bug at least once not that long ago. And the way the warning is designed it won't fire any false positives except in cases that are easily avoided. There's an argument to be made that the code is easier to audit if you put the "%s" format string in explicitly too. Even if the current code is correct you have to trace the variable back up to its source to be sure. If you add the escape then you can see that the code is safe just from that line of code alone. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's Slony Replication support! -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
