Tom Lane <tgl@sss.pgh.pa.us> writes:
> The really nasty cases are like this:
>
> const char *myfmt = gettext_noop("Some bleat about object \"%s\".");
>
> ...
>
> errmsg(myfmt, objectname)
>
> where there really is no simple way to convince the compiler that you
> know what you're doing without breaking functionality. This is probably
> why -Wformat-security doesn't warn about the latter type of usage. It
> does kind of beg the question of why bother with that warning though ...
It makes sense to me: if you have arguments for the format string then
presumably you've at some point had to check that the format string has
escapes for those arguments.
The only danger in the coding style comes from the possibility that there are
escapes you didn't anticipate. It's a lot harder to expect specific non-zero
escapes and find something else than to just not think about it at all and
unknowingly depend on having no escapes.
And it would take willful ignorance to depend on having some specific set of
escapes in an unchecked string provided by an external data source, which is
where the worst danger lies.
-- Gregory Stark EnterpriseDB http://www.enterprisedb.com Ask me about EnterpriseDB's RemoteDBA services!