http server: sprintf is considered deprecated

gdamore · gdamore · commit d0d48cad8953 · 2024-12-01T07:02:49.000-05:00
Because it is typically associated with insecure code, use of sprintf
is discouraged.  Note that our usage was actually quite careful and
not insecure, but its mere presence raises concern especially by parties
who are unwilling or unable to assess the actual code for correctness.

A better choice here would be strlcat, but strlcat is not universally
available.
diff --git a/src/supplemental/http/http_server.c b/src/supplemental/http/http_server.c
@@ -1571,7 +1571,8 @@ http_handle_dir(nni_aio *aio)
 
 	rv = 0;
 	if (nni_file_is_dir(pn)) {
-		sprintf(dst, "%s%s", NNG_PLATFORM_DIR_SEP, "index.html");
+		snprintf(dst, pnsz - strlen(pn), "%s%s", NNG_PLATFORM_DIR_SEP,
+		    "index.html");
 		if (!nni_file_is_file(pn)) {
 			pn[strlen(pn) - 1] = '\0'; // index.html -> index.htm
 			if (!nni_file_is_file(pn)) {
