git.ipfire.org Git - thirdparty/git.git/commit

author	Jeff King <peff@peff.net>
	Tue, 24 Jul 2018 09:28:28 +0000 (05:28 -0400)
committer	Junio C Hamano <gitster@pobox.com>
	Thu, 26 Jul 2018 17:12:51 +0000 (10:12 -0700)
commit	e488b7aba743d23b830d239dcc33d9ca0745a9ad
tree	58b07083dbd86661932af7553052cbec35a4fb94	tree \| snapshot
parent	cc8fdaee1eeaf05d8dd55ff11f111b815f673c58	commit \| diff

banned.h: mark strncpy() as banned

The strncpy() function is less horrible than strcpy(), but
is still pretty easy to misuse because of its funny
termination semantics. Namely, that if it truncates it omits
the NUL terminator, and you must remember to add it
yourself. Even if you use it correctly, it's sometimes hard
for a reader to verify this without hunting through the
code. If you're thinking about using it, consider instead:

  - strlcpy() if you really just need a truncated but
    NUL-terminated string (we provide a compat version, so
    it's always available)

  - xsnprintf() if you're sure that what you're copying
    should fit

  - strbuf or xstrfmt() if you need to handle
    arbitrary-length heap-allocated strings

Note that there is one instance of strncpy in
compat/regex/regcomp.c, which is fine (it allocates a
sufficiently large string before copying). But this doesn't
trigger the ban-list even when compiling with NO_REGEX=1,
because:

  1. we don't use git-compat-util.h when compiling it
     (instead we rely on the system includes from the
     upstream library); and

  2. It's in an "#ifdef DEBUG" block

Since it's doesn't trigger the banned.h code, we're better
off leaving it to keep our divergence from upstream minimal.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>