Subject: Re: vixie-crontab vunerable?
To: None <>
From: Ian Dall <>
List: current-users
Date: 12/17/1996 09:43:59
Lennart Augustsson <> writes:

  >> We already have a __warn_references() for gets(), so adding it to the
  >> others would probably be appropriate.
  > I don't think warnings for strcpy, sprintf etc. would be such a great
  > idea.  I often use them when I know it is perfectly safe,
  > and it would be a pain getting warnings for all those.

I agree. Because gets() usually operates on data of unknown length it
is normally unsafe (unless you can trust whoever is writing to
stdin). By comparison, strcpy and strcat operate on data within
the process and there is every possibility that the programmer
*knows* that the string won't overflow. Nor is it sufficient
because you don't know that someone hasn't done

   for(; *p; *p1++ = *p++);

or its moral equivalent. sprintf is a bit in between. sprintf("%s", p)
seems pretty unsafe, but is there anything dangerous about
sprintf("%d", &d)?

So I'd say that warnings for uses of functions which can only be used
safely under exceptional circumstances is OK, but otherwise is will
be a a pain and probably counter productive --- a case of crying "wolf".