Re: Use (f)puts instead of (f)printf when possible.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Pascal Bourguignon wrote on 2017-08-25:
> >      fprint(stderr,GETTEXTL(“Warning: “));
> 
> The point is that this is some external data, obtained at run-time from files that are not necessarily under the control of the program (eg. some distributions package the localisable file separately).

'fprint' does not do format string processing (unlike fprintf).
Therefore if some malicious translation is present in a .mo file, the
program will output it, but it will not crash from it. (Although if
it contains ANSI control codes, it may make your terminal go into
strange states or crash. But that's a bug in the terminal emulator.)

The security risks for setuid programs are handled through glibc/intl/
or libintl (on non-glibc systems).

Bruno