Merge pull request #3569 from geoffw0/strftime

C++: Taint flow consistency change for strftime

Author: jbj

cpp/ql/src/semmle/code/cpp/models/implementations/Strftime.qll

@@ -10,10 +10,7 @@ class Strftime extends TaintFunction, ArrayFunction {
       input.isParameterDeref(2) or
       input.isParameterDeref(3)
     ) and
-    (
-      output.isParameterDeref(0) or
-      output.isReturnValue()
-    )
+    output.isParameterDeref(0)
   }
 
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 2 }

cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll

@@ -15,6 +15,9 @@ import semmle.code.cpp.models.Models
  * A library function for which a taint-tracking library should propagate taint
  * from a parameter or qualifier to an output buffer, return value, or qualifier.
  *
+ * An expression is tainted if it could be influenced by an attacker to have
+ * an unusual value.
+ *
  * Note that this does not include direct copying of values; that is covered by
  * DataFlowModel.qll. If a value is sometimes copied in full, and sometimes
  * altered (for example copying a string with `strncpy`), this is also considered