Re: new module suggestion: fprintftime-check

[Assaf Gordon]

On 2018-12-28 11:08 p.m., Bruno Haible wrote:
> [CCing Florian Weimer.
> Florian, the thread started at
> https://lists.gnu.org/archive/html/bug-gnulib/2018-12/msg00149.html ]
>
> Assaf Gordon wrote:
> > The comment even says:
> >         /* Unknown format; output the format, including the '%',
> >            since this is most likely the right thing to do if a
> >            multibyte string has been misparsed.  */
> >
> > This has been the case since 1996 when strftime.c was imported from libc
> > (gnulib commit afabd949).
> >
> > I suspect that changing this behavior would be a disruptive
> > backwards-incompatible change (but other opinions are welcomed).
>
> The "security" and "robustness" aspects of software have gained importance
> over the last 22 years, also in domain of glibc.
>
> Florian, Assaf discovered that glibc processing of time format strings
> (strftime) operates according to the garbage-in - garbage-out principle,
> that is, an invalid format string does not get reported to the caller
> but instead produces output that is "most likely the right thing".
>
> Is this still considered the adequate processing, from a glibc point of
> view?

For reference, this is about ./time/strftime_l.c lines 1414-1428:

https://sourceware.org/git/?p=glibc.git;a=blob;f=time/strftime_l.c;h=c71f9f47a9525046b59a89c005de22a304367d4d;hb=HEAD#l1414


Also, POSIX says:
"If a conversion specification does not correspond to any of the above, 
the behavior is undefined."
http://pubs.opengroup.org/onlinepubs/9699919799/functions/strftime.html

Looking at the "bigger picture",
I'll just say my goal is to provide a helpful warning in date(1),
not to change any APIs...


regards,
 - assaf