On Tue, Jan 25, 2000 at 03:39:40PM +0100, Roman Hodek wrote:
>
> > But the changelog of amiga-fdisk says that it got to use libreadline
> > instead of gets because gets is buggy, or pose a security hazard, or
> > whatever.
>
> Yes, gets() is dangerous because it doesn't check the bounds of the
> input buffer. One should use fgets() instead, e.g.:
>
> +#ifdef DONT_USE_READLINE
> +char *readline (const char *prompt)
> +{
> + char buffer[1024];
> + char *s;
> + int size;
> + printf ("%s",prompt);
> + fflush (stdout);
> + fgets (buffer, sizeof(buffer), stdin);
> + size = strlen (buffer);
> + s = malloc ((size+1)*sizeof(char));
> + s = strcpy (s, buffer);
> + fflush (stdin);
> + return s;
> +}
> +#endif
>
> This is sufficiently safe.
This doesn't check the bounds also, isn't it ? And is gets not implemented as
fgets (stdin) ?
Friendly,
Sven LUTHER
