Path: utzoo!attcan!uunet!husc6!cs.utexas.edu!sm.unisys.com!ism780c!news
From: news@ism780c.isc.com (News system)
Newsgroups: comp.lang.c
Subject: Re: retiring gets(3)
Message-ID: <19278@ism780c.isc.com>
Date: 16 Nov 88 21:34:45 GMT
References: <1988Nov14.220842.3980@utstat.uucp> <682@quintus.UUCP>
Reply-To: marv@ism780.UUCP (Marvin Rubenstein)
Organization: Interactive Systems Corp., Santa Monica CA
Lines: 24

In article <682@quintus.UUCP> ok@quintus.UUCP (Richard A. O'Keefe) writes:
>
>There is a false assumption in this, namely that an attacker can control
>the input to every program.  If I have a program which _only_ I have
>permision to execute, and I _always_ use it in a pipeline (or in a
>command script), and the preceding program in the pipeline (or script)
>always generates sufficiently short lines, it is safe to use gets().
>The input to such a program is _every_ bit as much under my control as
>the source argument of strcpy().

No one worries much about a program written by Mr O'keefe that can be
executed only by Mr O'keefe.  What worries most people is programs
distributed for public use that are written by someone who is unaware of the
'gets problem'.  Simply admonishing programers (of publicly available
software) to avoid making the 'gets mistake' is less effective than removing
gets from the library.

I would like to suggest a library routine to replace gets say,
safegets(buffer,count), which for lines no longer then count would behave
like gets, and for lines longer than count would place the first count-1
characters of the line into the buffer followed by a '\0'.  The value
returned by safegets is the line length (or EOF).

    Marv Rubinstein