[gnutls-devel] GnuTLS | tools: suppress ctime() error from lgtm warnings (!994)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu May 9 21:34:46 CEST 2019
Nikos Mavrogiannopoulos commented on a discussion on src/certtool.c: https://gitlab.com/gnutls/gnutls/merge_requests/994#note_168475016
>
> if (ca_crt && (secs > gnutls_x509_crt_get_expiration_time(ca_crt))) {
> time_t exp = gnutls_x509_crt_get_expiration_time(ca_crt);
> - fprintf(stderr, "\nExpiration time: %s", ctime(&secs));
> - fprintf(stderr, "CA expiration time: %s", ctime(&exp));
> + fprintf(stderr, "\nExpiration time: %s", ctime(&secs)); //lgtm [cpp/potentially-dangerous-function]
> In this case I would even throw in that ctime() indeed should be avoided. Just think of copy&pasting code into a multi-threaded application or library. After an RCE, someone will ask "where did this code come from ? Oh from GnuTLS - what a crap !".
`ctime()` is perfectly fine the way it is used in this application. I understand someone else can misuse it but I do not see much value in writing code for other applications than the one intended for. Anyway, I was convinced to make that warning go in general, so I've pushed for another version which uses strftime with '%c'.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/994#note_168475016
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190509/fe5d47a2/attachment.html>
More information about the Gnutls-devel
mailing list