From 5c7de27b054f7012b014bb21a90615e7ab567d68 Mon Sep 17 00:00:00 2001
From: Thorsten Glaser <tg@mirbsd.org>
Date: Wed, 7 May 2014 10:21:35 +0200
Subject: [PATCH] Fix format string vulnerabilities

Never pass user input as first argument of printf(1),
similar to how you never do that with printf(3).

Signed-off-by: Thorsten Glaser <tg@mirbsd.org>
---
 vcsh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vcsh b/vcsh
index 18cd9e5..53bec40 100755
--- a/vcsh
+++ b/vcsh
@@ -255,7 +255,7 @@ list_tracked_by() {
 pull() {
 	hook pre-pull
 	for VCSH_REPO_NAME in $(list); do
-		printf "$VCSH_REPO_NAME: "
+		printf '%s: ' "$VCSH_REPO_NAME"
 		GIT_DIR=$VCSH_REPO_D/$VCSH_REPO_NAME.git; export GIT_DIR
 		use
 		git pull
@@ -268,7 +268,7 @@ pull() {
 push() {
 	hook pre-push
 	for VCSH_REPO_NAME in $(list); do
-		printf "$VCSH_REPO_NAME: "
+		printf '%s: ' "$VCSH_REPO_NAME"
 		GIT_DIR=$VCSH_REPO_D/$VCSH_REPO_NAME.git; export GIT_DIR
 		use
 		git push
-- 
GitLab