[cfe-dev] [RFC] Adding warnings against usage of %n
Jayson Yan via cfe-dev
cfe-dev at lists.llvm.org
Wed Sep 22 14:32:52 PDT 2021
Hello everyone,
We’re interested in warning against the usage of the “%n” format string
specifier to discourage developers from using this potentially unsafe
format specifier.
We were thinking of enabling this as a warning under the -Wformat-security
flag but are open to alternatives, some ideas were:
-
Placing this check under its own flag (something along the lines of
“-Wformat-n”) and possibly enabling it with -Wformat or -Wformat-security
-
Adding a check to clang-tidy
-
Setting the default configuration based on the target triple (target
runtimes may disallow %n altogether and we could detect this based on the
target triple)
Interested in any thoughts on:
-
How should we enable this? (eg. flags, clang-tidy, etc)
-
Should we surface this as an error or a warning?
Thanks,
Jayson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210922/00e406b3/attachment.html>
More information about the cfe-dev
mailing list