Robert Haeckl wrote:
>Recently, I downloaded the imap tar file from Washington U. and compiled
>it. One of the compiler warnings mentioned that gets() was used. Is
>this always significant as a potential buffer overrun problem, and would
>this raise a red flag for someone who screens source code?
>
>-Robert
>
It should probably be a flag in general, but there are situations where
this is not a serious concern. If the program is reading its
configuration files on startup (especially before binding to a network
socket), then the program could crash, but should not be a security
risk. However, if gets() is ever used to process user input (ie reading
from a network socket), then you have a real security danger. Using
gets() at all is sloppy; in general, you should always use fgets() as a
gets() replacement (or use a totaly different mechanism like iostreams
(C++) or read() (ANSI C. uses filedescriptors rather than FILE structs)).
--ronan
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:06:46 EDT