Subject: Re: The great gets() debate from back in March ...
To: Greg Earle <earle@isolar.Tujunga.CA.US>
From: J.T. Conklin <>
List: current-users
Date: 10/06/1994 08:39:22
> I just ran across my first program that I've compiled in a while which uses
> gets(). 

> When I provided the author a tiny "#ifdef __NetBSD__" patch to use fgetln()
> on stdin instead, he responded:
> ------- Begin Included Message
> I thought fgets() was POSIX.  If it's POSIX, I will continue to use fgets().
> However, I will include your NetBSD hint in the README.  Thanks.
> ------- End of Included Message
> (Notice how he says "fgets()" but the program uses "gets()".

> What was the final verdict on this?  Should I tell him "OK, POSIX uses fgets()
> so change your code to `fgets(answer, size, stdin)' instead", or should I
> claim righteous indignance to his ignoring the Horrific Security Hole that is
> "gets()"?  Or should I just not care?  :-)

Remember that most of the gets() debate was over NetBSD's non-ANSI 
behavior of printing a warning message the first time it was invoked.  
This has been changed so that a link-time warning is issued instead.

I would agree with the software author about puting an OS specific code 
in an application.  Perhaps he doesn't realize that he's using gets()
instead of fgets()?

Since the buffer he uses is only two characters, you could probably find 
a legitimate bug report that would convince him to change to fgets().  
What happens when you answer the prompt with:

	Yes.  Please.  I really, really want you to do it.  

That would probably overwrite something important :-).