Even worse (was Re: Google Code Search)

Lusercop `the.lusercop' at lusercop.net
Fri Oct 6 17:36:59 BST 2006

On Fri, Oct 06, 2006 at 03:42:12PM +0100, Andy Armstrong wrote:
> On 6 Oct 2006, at 15:34, Sue Spence wrote:
[>>Andy initially wrote:]
>>> Are you saying /any/ use of gets() is bad? Most of the examples I  
>>> read on the first two pages don't seem to present much in the way  
>>> of risk.
>> gets() is inherently unsafe because there is no way to control the  
>> size of the amount of data from stdin that will be shoved into the  
>> buffer passed to it. fgets() is usually used instead, because it  
>> takes a 'max size' parameter.
> Yes, thanks. I know why gets is unsafe. But if you're using it to get  

Then why ask the question?

> input for, e.g. a test harness that'll only ever be run by a trusted  
> user (as seems to be the case with at least two of the examples found  
> by the search above) it doesn't represent a security risk. Bad  
> practice maybe - but not a specific problem.

Until someone comes along and doesn't know about the restriction, or more
data gets added or...

Not a security risk in this case, per se, but a risk nonetheless.

My personal opinion is that *any* use of gets() is bad. If you're not
bothering with that, then what else have you done wrong?

Lusercop.net - LARTing Lusers everywhere since 2002

More information about the london.pm mailing list