bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sharutils does not build with -Werror=format-security

From: Eric Blake
Subject: Re: sharutils does not build with -Werror=format-security
Date: Mon, 14 Oct 2013 08:06:38 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 
On 10/12/2013 04:26 PM, Bruce Korb wrote:

>>   if (access (local_name, 4))
>>     {
>>       error (0, errno, _("Cannot access %s"), local_name);

In THIS form, xgettext recognizes the %s, and marks the string in the
.po file with an annotation that it appears to be a printf formatter,
and therefore gettext() will sanitize the translation to ensure that the
translation also supplies at most %s.

>>       else
>> -      error (0, errno, _("Cannot get current directory name"));
>> +      error (0, errno, "%s", _("Cannot get current directory name"));

but in THIS form, xgettext sees no % mark, so it does NOT mark the .po
file, and therefore gettext() no longer attempts to sanitize the
translation, and a translator can sneak in any % mark.  Yes, you can
argue that xgettext could be made smarter to properly annotate
string-literal formats with a printf annotation to force runtime
sanitization of the transalation, but for now, adding a "%s" format
argument is the easiest way to shut up the existing tool chain rather
than waiting for a fixed toolchain.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]