Subject: The great gets() debate from back in March ...
To: None <>
From: Greg Earle <earle@isolar.Tujunga.CA.US>
List: current-users
Date: 10/05/1994 23:35:05
I just ran across my first program that I've compiled in a while which uses
gets().  It's the main driver program "display.c" from the "display" program
that is a part of ImageMagick 3.3, which comes as part of the X11 R6
contributed software:

netbsd4me:1:61 [/usr/X11R6/src/contrib/programs/ImageMagick-3.3] % sed -n \
'11231,11240p' display.c.orig

                  if (access(resource_info.write_filename,0) == 0)

                      (void) fprintf(stderr,"Overwrite %s? ",
                      (void) gets(answer);
                      if (!((*answer == 'y') || (*answer == 'Y')))

When I provided the author a tiny "#ifdef __NetBSD__" patch to use fgetln()
on stdin instead, he responded:

------- Begin Included Message

I thought fgets() was POSIX.  If it's POSIX, I will continue to use fgets().
However, I will include your NetBSD hint in the README.  Thanks.

------- End of Included Message

(Notice how he says "fgets()" but the program uses "gets()".

What was the final verdict on this?  Should I tell him "OK, POSIX uses fgets()
so change your code to `fgets(answer, size, stdin)' instead", or should I
claim righteous indignance to his ignoring the Horrific Security Hole that is
"gets()"?  Or should I just not care?  :-)

What's the general policy about telling authors about using gets()?  Should it
be religious, with "#if defined(__NetBSD__) || defined(PC)"?  :-)

	- Greg