On Sun Jan 21, 2024 at 11:11 PM CST, Sutou Kouhei wrote:
> Hi,
>
> I'm an extension developer. If I use PostgreSQL built with
> Meson, I get the following warning:
>
> cc1: warning: '-Wformat-security' ignored without '-Wformat' [-Wformat-security]
>
> Because "pg_config --cflags" includes -Wformat-security but
> doesn't include -Wformat.
>
> Can we specify -Wformat as a common warning flag too? If we
> do it, "pg_config --cflags" includes both of
> -Wformat-security and -Wformat. So I don't get the warning.
The GCC documentation[0] says the following:
> If -Wformat is specified, also warn about uses of format functions
> that represent possible security problems. At present, this warns
> about calls to printf and scanf functions where the format string is
> not a string literal and there are no format arguments, as in printf
> (foo);. This may be a security hole if the format string came from
> untrusted input and contains ‘%n’. (This is currently a subset of what
> -Wformat-nonliteral warns about, but in future warnings may be added
> to -Wformat-security that are not included in -Wformat-nonliteral.)
It sounds like a legitimate issue. I have confirmed the issue exists
with a pg_config compiled with Meson. I can also confirm that this issue
exists in the autotools build.
Here is a v2 of your patch which includes the fix for autotools. I will
mark this "Ready for Committer" in the commitfest. Thanks!
[0]: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
--
Tristan Partin
Neon (https://neon.tech)