Peter Eisentraut wrote:
> -Wformat-security warns about
>
> printf(var);
>
> but not about
>
> printf(var, a);
>
> I don't understand that; the crash or exploit potential is pretty much the
> same in both cases.
Not sure this is the reason, but in the first case any risk is trivially
avoided by using puts() or printf("%s", var) instead. So printf(var) is
almost certainly not what you mean.
I think that's a reasonable warning to have enabled, whereas the other
one is more of a "try it sometime, you might find something" kind of
warning.
Jeroen