gets() not so bad

**dylan** · 06-12-2010

Originally Posted by Elysia

You should have made it clearer what you meant to say...

The funny part of this is, it was your post that made me write that code/post.
You said one comment above mine :

Furthermore, it can completely screw up your program. It could even delete files you wouldn't want off your hard drive. Would you like that?

So I wrote a 5 line program that WILL delete (ok if there was the code the really unlink) the wrong files if you type too much data into stdin when using get.

So I assumed the 5 lines of code would be self explanatory.

Dylan

**Elysia** · 06-12-2010

The thing is, I wrote "can," which does not necessarily mean "will".
It's entirely plausible, though. Consider this scenario:
You have a temp file stored in some char buffer. Then you read some input from the user. You get a buffer overrun, so it overwrites the contents of the buffer to the temp file.
You close the temp file and delete it. Ah, but the contents of the path to the temp file was overwritten due to the buffer overrun. Oops.
This is the real danger. We wouldn't want this, would we?

**whiteflags** · 06-12-2010

I must admit it's fun when people speak in hyperbole. "Buffer overruns will DELETE your drive!! !!WARNING!!" People really can't know the difference can they? It just depends on the OS and it's secure signal trapping.

I don't think changing standards is the best or even preferred way to deal with this type of problem. In the first place, even examples of safe functions you defend are just as much examples of the problem. Every function depends on correct arguments, memcpy and _memcpy_s included. Without compilers double checking, or ...anything, adding arguments wont make things safer if you seriously want to use that argument.

There are tools to deal with this stuff and the answer is to use them. They don't even necessarily need to be tools, they can be your peers, too. The universe may make better idiots as things become foolproof, but a bunch of idiots will take their sack of stupid and hit some smart.

**grumpy** · 06-12-2010

Originally Posted by whiteflags

I don't think changing standards is the best or even preferred way to deal with this type of problem.

Changing a relevant standard, however, is an option to replace a function that has an unpreventable unsafe mode of operation (i.e. no way of using it safely) with a function that has one or more modes in which it can be used safely.

A function with no safe mode of operation is inherently dangerous - there is a risk with using it that cannot be eliminated. A function with one or more safe modes of operation can, with reasonable effort, be used safely.

Originally Posted by whiteflags

In the first place, even examples of safe functions you defend are just as much examples of the problem. Every function depends on correct arguments, memcpy and _memcpy_s included. Without compilers double checking, or ...anything, adding arguments wont make things safer if you seriously want to use that argument.

Using that of sort of logic, we wouldn't develop software at all. It is possible to find an unsafe mode of operation of almost anything: language constructs, library functions, etc.

memcpy() can be used safely, in the sense that it can be guaranteed to behave correctly if it is provided with an appropriate set of arguments. gets() cannot.

**whiteflags** · 06-13-2010

You're right. I'm surprised people want to tell me these things though. I haven't talked about gets in this thread at all.

>> Using that of sort of logic, we wouldn't develop software at all. It is possible to find an unsafe mode of operation of almost anything: language constructs, library functions, etc.

Yeah that's kinda why I wrote the reply to Elysia. Elysia's idea of safe is like, a situation where programmers don't need to do the ugly parts of their jobs.

**nonoob** · 06-13-2010

Originally Posted by iMalc

Do you enjoy it when an attacker installs adware on your machine, or a keylogger to capture your passwords, or a when your harddrive is wiped clean unexpectedly? Do you like that fact that Windows updates are frequently required to be downloaded to your machine and your PC restarted?
We don't!

Well, no. Microsoft's products and their employees should be held to a higher standard. Your example implies that Microsoft employees are just as newbie as people who don't watch for buffer overruns. Unfortunately we know that's true through dozens of cases.

When a student writes a "hello world", or some algorithm testing program, he should not be worried about a hacker installing keyloggers and exploiting buffer overruns. That's just not a realistic concern. Same goes for quickie utilities I write for my company. Simple prompts, simple answers, file names, etc. There is never going to be an army of industrial hackers let loose on this code.

I think all this is a Microsoft marketing to divert attention away from their own crappy code. They seem want to blame careless use of certain functions, and in general, their own incompetently written crap, on some fundamental C language constructs. How about employing people who have lived through their own mistakes and have learned from them? Who have built their own tools and techniques to prevent overrun issues after years of practical, bullet proof code?

To simply demand that people cease using "dangerous" functions does not address the problem of instilling good coding practice and common sense approaches. We need smarter programmers. Not dumbed down environments. It's like equipping public playgrounds with rubberized matting these days. Kids will never know there are pitfalls. Never mind instilling a better sense of balance and coordination.

**Elysia** · 06-13-2010

You are misunderstanding here.
These safer versions aren't meant to replace smarter programmers. They're there to complement smarter programmers, because even veteran developers make mistakes. You can't write bulletproof code. You can only reduce the risk of security vulnerabilities. And the more you reduce vulnerabilities, the better.

And I already addressed your concerns. Why are you learning programming in the first place? If it's in a university, it's usually because there's an idea behind everything! Because one day you might be writing software for something!
Besides that, there is always the risk that some malicious software just scans through the computer trying to find some vulnerable code and uses it to its advantage!
Even worse, you might one day share your code in some form or way, and other people use it without understanding its implications and you've just used gets!

You don't see people using a chainsaw, even to cut small branches, without being aware of the security implications, do you? Programming is the same. There are basic guidelines which everyone--hobby or professional!--must follow. And gets is one of them.

**bernt** · 06-13-2010

Maybe we should be teaching those students how to exploit buffer overruns. How to give it input that will delete folders even when there's no call to the "delete folder" function in your program's source. How to make it turn even the most inane programs into gaping security holes.
Then maybe people would complain about Vista's UAC a lot less. Maybe people would think twice about downloading that "magic" it-does-everything software. Teaching people how to exploit their systems is the best way to teach them to protect against exploits.

I really like nonoob's idea here:

It's like equipping public playgrounds with rubberized matting these days. Kids will never know there are pitfalls. Never mind instilling a better sense of balance and coordination.

And this goes beyond programming - it's infected our school system. But I'll leave that for another day in GD.

**Elysia** · 06-13-2010

No, showing by example is definitely a good idea. Just saying "this is bad" is never a good way to teach. You have to teach people why it is that way. That is why we have proofs in our math books!

**claudiu** · 06-13-2010

I can't believe this thread is still going on.

The problem is simple:

gets=bad, use it at your own risk.

**Elysia** · 06-13-2010

The problem is even simpler:
gets=bad
Never use it.

**iMalc** · 06-13-2010

Originally Posted by nonoob

When a student writes a "hello world", or some algorithm testing program, he should not be worried about a hacker installing keyloggers and exploiting buffer overruns. That's just not a realistic concern.

Agreed. However why should a student learn something that they'll have to unlearn later and learn it's safe replacement for? Why not just learn the safe method to being with? Breaking old habbits can be hard.

Same goes for quickie utilities I write for my company. Simple prompts, simple answers, file names, etc. There is never going to be an army of industrial hackers let loose on this code.

Yes but buffer overruns can happen accidentally, not just through hacking. Classic case is accepting a file path and some user trys a rather long path, or attempts to enter multiple paths separated with semicolons or whatever, hoping it will understand that. If you're lucky it simply crashes.

**jeffcobb** · 06-13-2010

This will probably tick off the purists and the OP but the simple truth is this: folks who think that "using such and such dangerous routine because (pick one of "its just a throw-away project", "its just a learning project", " no one will ever use this in a dangerous manner or for a risky purpose"), simply demonstrates their lack of real-world skills and experience. The one constant is that your software will almost invariably be used in a manner that you had never envisioned. Moreover, if you get used to writing such dangerous code, sooner or later you will get hired into a company or position where it does matter and your habits will expose the company to dangers and most likely lose you your job.

**nonoob** · 06-14-2010

The Microsoft environment has blown up a lot more frequently than my throw-away code. That tells me their good advice about avoiding risky code should be better practiced by their own staff before they preach to me. Or they should have implemented run-time array bounds checking in their compiled code even though it's beyond what pure C would let you get away with.

Operating system blowups are inexcusable. Those happen when no one is even trying to hack on purpose.

Do you really think people lose their jobs at Microsoft every time something croaks? They'd have a bunch of empty buildings by now. More like buildings with negative number of people in them.

Please don't imply I have little real-world skills and experience. I have gone so far as to grab key codes myself so that I would not need to rely on potentially flaky library code - when it mattered if the user pressed left or right shift key, and when I wanted to intercept any function-key, or ctrl-alt-delete shenanigans. But that was years ago. Current operating systems make taking control of the hardware increasingly difficult.

**Elysia** · 06-14-2010

By Microsoft environment, you mean...?
Also, Microsoft software is buggy, not insecure. Those are two very different things. I very much doubt that they write outside array bounds.

Operating system blowups usually is because of 3rd-party code. Don't blame Microsoft; blame the developers of the software you're installing.

You have little experience, you are naive or you're just pure dumb. Anyone who says gets is good is either inexperienced, naive or just an idiot.