Even worse (was Re: Google Code Search)
`the.lusercop' at lusercop.net
Fri Oct 6 17:36:59 BST 2006
On Fri, Oct 06, 2006 at 03:42:12PM +0100, Andy Armstrong wrote:
> On 6 Oct 2006, at 15:34, Sue Spence wrote:
[>>Andy initially wrote:]
>>> Are you saying /any/ use of gets() is bad? Most of the examples I
>>> read on the first two pages don't seem to present much in the way
>>> of risk.
>> gets() is inherently unsafe because there is no way to control the
>> size of the amount of data from stdin that will be shoved into the
>> buffer passed to it. fgets() is usually used instead, because it
>> takes a 'max size' parameter.
> Yes, thanks. I know why gets is unsafe. But if you're using it to get
Then why ask the question?
> input for, e.g. a test harness that'll only ever be run by a trusted
> user (as seems to be the case with at least two of the examples found
> by the search above) it doesn't represent a security risk. Bad
> practice maybe - but not a specific problem.
Until someone comes along and doesn't know about the restriction, or more
data gets added or...
Not a security risk in this case, per se, but a risk nonetheless.
My personal opinion is that *any* use of gets() is bad. If you're not
bothering with that, then what else have you done wrong?
Lusercop.net - LARTing Lusers everywhere since 2002
More information about the london.pm