More Document Number: N2834
Submitter: Aaron Peter
Bachmann
Submission Date: 2021-10-07
Deprecate the %n
format specifier
in C2X
%n is the target of attacks
trying to compromise software, but provides little utility.
Thus, this paper proposes deprecating or obsoleting the %n
format specifier.
%n
is not supported in bionic
.
[1] %n
format specifier by
default. [2] %n.
[3]Arguments in favor of the proposal:
%n
we can always use the
return value of one of the printf-style functions.%n
is not provided
by several C-libraries, thus cannot be used in portable
programs anyway. %n
gives a grace-period to those
programs still using %n.
The changes given here are relative to N2596 [4].
After
7.21.6.1
8
append the sentence in green.
The argument shall be a pointer to signed integer
whose type is specified by the length modifiers, if any, for the
conversion specification, or shall be int if no length modifiers
are specified for the conversion specification. The number of
characters written to the output stream so far by this call to
fprintf is stored into the integer object pointed to by the
argument. No argument is converted, but one is consumed. If the
conversion specification includes any flags, a field width, or a
precision, the behavior is undefined. The use of n as format
specifier is a deprecated feature.
Aternatively use:
The use of n as format specifier is an
obsolescent feature.
[1] https://android.googlesource.com/platform/bionic/+/HEAD/docs/status.md
[3] https://github.com/ensc/dietlibc/blob/master/README.security
[4] N2596
2020/12/12 Meneide, C2x Working Draft