[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] stdio: don't assume gets any more
|
From: |
Paul Eggert |
|
Subject: |
Re: [PATCH] stdio: don't assume gets any more |
|
Date: |
Thu, 29 Mar 2012 13:14:05 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120209 Thunderbird/10.0.1 |
On 03/29/2012 12:35 PM, Eric Blake wrote:
> Any thoughts before I push this?
Yes, thanks, this is the sort of thing that I had in mind in
the earlier thread today about this
<http://lists.gnu.org/archive/html/bug-gnulib/2012-03/msg00183.html>.
Some comments about the patch details:
The GNULIB_GETS line needs to be removed from modules/stdio.
Shouldn't we also remove the definition of gets from
lib/stdio-read.c?
Should the GNULIB_TEST_GETS chunk be removed from
test-stdio-c++.cc?
doc/posix-functions/gets.texi needs to be updated to
match the other changes.
The comment in stdio.in.h about sprintf should
be updated to not also talk about gets. Something like this:
-/* Some people would argue that sprintf should be handled like gets
- (for example, OpenBSD issues a link warning for both functions),
- since both can cause security holes due to buffer overruns.
+/* Some people would argue that all sprintf uses should be warned about
+ (for example, OpenBSD issues a link warning for it),
+ since it can cause security holes due to buffer overruns.
However, we believe that sprintf can be used safely, and is more
efficient than snprintf in those safe cases; and as proof of our