From: Thorsten Glaser <tg@mirbsd.org>
Date: Wed, 7 May 2014 08:21:35 +0000 (+0200)
Subject: Fix format string vulnerabilities
X-Git-Url: https://git.madduck.net/code/vcsh.git/commitdiff_plain/40e5aabecac46a43b1e68d7c8cb0a4668e780bb1?hp=--cc

Fix format string vulnerabilities

Never pass user input as first argument of printf(1),
similar to how you never do that with printf(3).

Signed-off-by: Thorsten Glaser <tg@mirbsd.org>
---

40e5aabecac46a43b1e68d7c8cb0a4668e780bb1
diff --git a/vcsh b/vcsh
index 31a6019..355e9fa 100755
--- a/vcsh
+++ b/vcsh
@@ -255,7 +255,7 @@ list_tracked_by() {
 pull() {
 	hook pre-pull
 	for VCSH_REPO_NAME in $(list); do
-		printf "$VCSH_REPO_NAME: "
+		printf '%s: ' "$VCSH_REPO_NAME"
 		GIT_DIR=$VCSH_REPO_D/$VCSH_REPO_NAME.git; export GIT_DIR
 		use
 		git pull
@@ -268,7 +268,7 @@ pull() {
 push() {
 	hook pre-push
 	for VCSH_REPO_NAME in $(list); do
-		printf "$VCSH_REPO_NAME: "
+		printf '%s: ' "$VCSH_REPO_NAME"
 		GIT_DIR=$VCSH_REPO_D/$VCSH_REPO_NAME.git; export GIT_DIR
 		use
 		git push