Return to BSD News archive
Xref: sserve comp.os.386bsd.questions:12240 comp.os.386bsd.development:2372 comp.os.386bsd.misc:3127 Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!bunyip.cc.uq.oz.au!munnari.oz.au!news.Hawaii.Edu!ames!hookup!news.kei.com!MathWorks.Com!news.duke.edu!news-feed-1.peachnet.edu!paperboy.wellfleet.com!noc.near.net!hopscotch.ksr.com!jfw From: jfw@ksr.com (John F. Woods) Newsgroups: comp.os.386bsd.questions,comp.os.386bsd.development,comp.os.386bsd.misc Subject: Re: Why does FreeBSD 1.1.5 say gets() is unsafe? Date: 3 Aug 1994 21:33:40 GMT Organization: Kendall Square Research Lines: 16 Message-ID: <31p2fk$927@hopscotch.ksr.com> References: <30lrf3$2ii@acmez.gatech.edu> <ASAMI.94Jul25151654@forgery.cs.berkeley.edu> <311m2e$o33@agate.berkeley.edu> <311uec$4cm@grapevine.lcs.mit.edu> <1994Jul31.052235.13416@cs.brown.edu> NNTP-Posting-Host: kaos.ksr.com mhw@cs.brown.edu (Mark Weaver) writes: >First let me say that a program which uses gets() is not inherently >insecure if it only reads from a secure source (a trusted file or >output from another trusted program). Let me point out, though, that sometimes a "trusted" file lets you down. A long time ago, I had a program that parsed uucp status files, an extremely predictable format for which gets was ideal. Except, of course, for the day when I ran the analyzer on a status file that was being written when the filesystem ran out of space, resulting in a line that was almost twice as long as the buffer... (Piped output, on the other hand, from one half of a program that forks to its other half, should be absolutely safe from either error or spoofing.)