[RFC] Adding warnings against usage of %n

Hello everyone,

We’re interested in warning against the usage of the “%n” format string specifier to discourage developers from using this potentially unsafe format specifier.

We were thinking of enabling this as a warning under the -Wformat-security flag but are open to alternatives, some ideas were:

  • Placing this check under its own flag (something along the lines of “-Wformat-n”) and possibly enabling it with -Wformat or -Wformat-security

  • Adding a check to clang-tidy

  • Setting the default configuration based on the target triple (target runtimes may disallow %n altogether and we could detect this based on the target triple)

Interested in any thoughts on:

  • How should we enable this? (eg. flags, clang-tidy, etc)

  • Should we surface this as an error or a warning?

Thanks,
Jayson