[gnutls-devel] GnuTLS | tools: suppress ctime() error from lgtm warnings (!994)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu May 9 21:34:46 CEST 2019

Nikos Mavrogiannopoulos commented on a discussion on src/certtool.c: https://gitlab.com/gnutls/gnutls/merge_requests/994#note_168475016

>  		if (ca_crt && (secs > gnutls_x509_crt_get_expiration_time(ca_crt))) {
>  			time_t exp = gnutls_x509_crt_get_expiration_time(ca_crt);
> -			fprintf(stderr, "\nExpiration time: %s", ctime(&secs));
> -			fprintf(stderr, "CA expiration time: %s", ctime(&exp));
> +			fprintf(stderr, "\nExpiration time: %s", ctime(&secs)); //lgtm [cpp/potentially-dangerous-function]

> In this case I would even throw in that ctime() indeed should be avoided. Just think of copy&pasting code into a multi-threaded application or library. After an RCE, someone will ask "where did this code come from ? Oh from GnuTLS - what a crap !".

`ctime()` is perfectly fine the way it is used in this application. I understand someone else can misuse it but I do not see much value in writing code for other applications than the one intended for. Anyway, I was convinced to make that warning go in general, so I've pushed for another version which uses strftime with '%c'.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/994#note_168475016
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190509/fe5d47a2/attachment.html>

More information about the Gnutls-devel mailing list