FTBFS if "-Werror=format-security" flag is used
Tom Hughes
tom at compton.nu
Mon Dec 9 23:14:17 UTC 2013
On 09/12/13 23:01, Les Howell wrote:
> unless something has changed recently fputs and puts just like gets and
> fgets have been deprecated and are discouraged due to potential security
> issues.
Nonsense.
The reason gets is dangerous is because it doesn't take a buffer size so
will continue reading until it sees a newline even if it has long since
overflowed the buffer - there is literally no way to use it safely
unless you can guarantee the maximum length of a line in the input stream.
That does not apply to fgets, which takes a buffer length and is
therefore safe as it will not overflow the buffer.
It also doesn't apply to put or fputs, which are output routines so read
from the buffer rather than writing to it, stopping at a nul.
Tom
--
Tom Hughes (tom at compton.nu)
http://compton.nu/
More information about the devel
mailing list