Even worse (was Re: Google Code Search)
andy at hexten.net
Fri Oct 6 15:42:12 BST 2006
On 6 Oct 2006, at 15:34, Sue Spence wrote:
>> Are you saying /any/ use of gets() is bad? Most of the examples I
>> read on the first two pages don't seem to present much in the way
>> of risk.
> gets() is inherently unsafe because there is no way to control the
> size of the amount of data from stdin that will be shoved into the
> buffer passed to it. fgets() is usually used instead, because it
> takes a 'max size' parameter.
Yes, thanks. I know why gets is unsafe. But if you're using it to get
input for, e.g. a test harness that'll only ever be run by a trusted
user (as seems to be the case with at least two of the examples found
by the search above) it doesn't represent a security risk. Bad
practice maybe - but not a specific problem.
Andy Armstrong, hexten.net
More information about the london.pm