Subject: Re: gets()
To: Richard Tobin <richard@cogsci.edinburgh.ac.uk>
From: John F. Woods <jfw@ksr.com>
List: current-users
Date: 03/11/1994 10:19:39
> > any program which uses gets() has a potential
> > bug (and, if it's a set-id program, a potential security hole).
> This is not the case. There are uses of gets() that are completely
> safe, for example when the program itself has written the file that is
> being read.
Heh. I once used gets() in a program for digesting uucp log files. OK,
the program itself didn't write the file, but it's a completely deterministic
format, right?
Wrong. One day it started coredumping, and I tracked it down to
/usr/spool/uucp having run out of space while writing the log, resulting in
one line about 150 characters long. Whoops.
On the other other hand, gets() is safe for use with pipes, when a program
is communicating with either itself or something else deterministic.
But again, fgets is so convenient and safe...
------------------------------------------------------------------------------