Subject: The great gets() debate from back in March ...
To: None <firstname.lastname@example.org>
From: Greg Earle <earle@isolar.Tujunga.CA.US>
Date: 10/05/1994 23:35:05
I just ran across my first program that I've compiled in a while which uses
gets(). It's the main driver program "display.c" from the "display" program
that is a part of ImageMagick 3.3, which comes as part of the X11 R6
netbsd4me:1:61 [/usr/X11R6/src/contrib/programs/ImageMagick-3.3] % sed -n \
if (access(resource_info.write_filename,0) == 0)
(void) fprintf(stderr,"Overwrite %s? ",
if (!((*answer == 'y') || (*answer == 'Y')))
When I provided the author a tiny "#ifdef __NetBSD__" patch to use fgetln()
on stdin instead, he responded:
------- Begin Included Message
I thought fgets() was POSIX. If it's POSIX, I will continue to use fgets().
However, I will include your NetBSD hint in the README. Thanks.
------- End of Included Message
(Notice how he says "fgets()" but the program uses "gets()".
What was the final verdict on this? Should I tell him "OK, POSIX uses fgets()
so change your code to `fgets(answer, size, stdin)' instead", or should I
claim righteous indignance to his ignoring the Horrific Security Hole that is
"gets()"? Or should I just not care? :-)
What's the general policy about telling authors about using gets()? Should it
be religious, with "#if defined(__NetBSD__) || defined(PC)"? :-)