* Bruno Haible: > [CCing Florian Weimer. > Florian, the thread started at > https://lists.gnu.org/archive/html/bug-gnulib/2018-12/msg00149.html ] > > Assaf Gordon wrote: >> The comment even says: >> /* Unknown format; output the format, including the '%', >> since this is most likely the right thing to do if a >> multibyte string has been misparsed. */ >> >> This has been the case since 1996 when strftime.c was imported from libc >> (gnulib commit afabd949). >> >> I suspect that changing this behavior would be a disruptive >> backwards-incompatible change (but other opinions are welcomed). > > The "security" and "robustness" aspects of software have gained importance > over the last 22 years, also in domain of glibc. > > Florian, Assaf discovered that glibc processing of time format strings > (strftime) operates according to the garbage-in - garbage-out principle, > that is, an invalid format string does not get reported to the caller > but instead produces output that is "most likely the right thing".
Historically, some Lua scripts have relied on strftime not crashing, but I think this awas fixed on the Lua side a couple of years ago. The standards do not provide a way to report errors for malformed format strings. I think the current behavior is acceptable, all things considered. Thanks, Florian
