Implementing a web server in a single printf() call (2014)

2 comments

• gnabgib 4 days ago
  Discussion at the time (181 points, 39 comments) https://news.ycombinator.com/item?id=7389623
• ori_b 6 hours ago
  OpenBSD has removed the format specifier that makes this possible, for hopefully obvious reasons.
  [-]
  • josefx 2 hours ago
    Was the thought process: "Anything involving C string handling is fundamentally security hostile, lets fix it by breaking %n!"
    [-]
    • tom_ 22 minutes ago
      It is the only one that actually writes to memory. It's occasionally convenient, but it's also largely unnecessary: the caller can typically make multiple calls to printf, for example, noting the return value for each one. Or use strlen and fputs. And so on.

      The C11 printf_s functions don't support it at all, so it's clearly already on the naughty list even from the standard's perspective.
    • trashb 1 hour ago
      Can you elaborate on the statement "Anything involving C string handling is fundamentally security hostile"?