Even worse (was Re: Google Code Search)

Andy Armstrong andy at hexten.net
Fri Oct 6 15:42:12 BST 2006

On 6 Oct 2006, at 15:34, Sue Spence wrote:
>> Are you saying /any/ use of gets() is bad? Most of the examples I  
>> read on the first two pages don't seem to present much in the way  
>> of risk.
> gets() is inherently unsafe because there is no way to control the  
> size of the amount of data from stdin that will be shoved into the  
> buffer passed to it. fgets() is usually used instead, because it  
> takes a 'max size' parameter.

Yes, thanks. I know why gets is unsafe. But if you're using it to get  
input for, e.g. a test harness that'll only ever be run by a trusted  
user (as seems to be the case with at least two of the examples found  
by the search above) it doesn't represent a security risk. Bad  
practice maybe - but not a specific problem.

Andy Armstrong, hexten.net

More information about the london.pm mailing list