Iain Hibbert wrote:
> Roland Illig wrote:
>>Matthias Drochner wrote:
>>
>>>Whether error messages are printed or not... not
>>>sure what is right. But if error messages are printed,
>>>they should not contain the strings passed by the user
>>>as they could contain escape sequences or sensitive
>>>information.
>>
>>Would that mean that _all_ NetBSD utilities, even cat(1), would have to be
>>rewritten to never output control characters when that is not expected? What
>>would be the correct error message if a file whose name contains special
>>characters cannot be found?
> 
> 
> no, its the difference between
> 
> 	err(EXIT_FAILURE, *argv);	/* bad */
> 
> and
> 
> 	err(EXIT_FAILURE, "%s", *argv);	/* good */

Even the second one can be a security hole if the pathname contains 
characters that are interpreted in some special way by the terminal. I 
think this is what Matthias meant.

Preventing format string bugs like in the case above is trivial 
(-Wformat=2), so it's not worth a discussion here.

Roland