Subject: Re: gets()
To: Richard Tobin <richard@cogsci.edinburgh.ac.uk>
From: Scott Reynolds <scott@lisa.acs.nmu.edu>
List: current-users
Date: 03/11/1994 13:17:30
On Fri, 11 Mar 1994, Richard Tobin wrote:
> > any program which uses gets() has a potential
> > bug (and, if it's a set-id program, a potential security hole).
>
> This is not the case. There are uses of gets() that are completely
> safe, for example when the program itself has written the file that is
> being read.
You're assuming, of course, that nobody else has modified the file; one
slipped up chmod() can create a security hole if the writer of a setuid
program hasn't been careful to avoid gets().
One benefit of a run-time warning from gets() is that the users of a
program can get annoyed enough by it to contact the author and get them
to change it. It just plain shouldn't be used by any released software,
public domain or otherwise. In my opinion its only use is for Intro to
Programming classes, and even there I'm skeptical.
I'll go back to the rock I crawled out from under. I'm grouchy and I'm
getting tired of reading about gets().
Scott Reynolds
Academic Computing Dept.
Northern Michigan University
scott@bart.acs.nmu.edu
------------------------------------------------------------------------------