On Thu, May 03, 2007 at 04:16:31PM -0500, Tom Spear wrote:
On 5/3/07, Robert Shearman rob@codeweavers.com wrote:
Tom Spear wrote:
I was writing up a Hello World with input program for a demonstration for a non-developer coworker last week, and used the unsecured getch() and got the standard warning about how it was unsecured and dangerous to use that. That prompted me to look up the basic secured functions on the MS website, and compare to wine code. According to MSDN, things like gets have been replaced with gets_s. However, as far as I can tell, wine still only implements gets for Windows programs to use.. Do we implement secured versions of other functions, and if not, how come?
Q: Why doesn't Wine implement X? A: Because not many programs use it and no-one has felt interested in implementing it for fun.
So in other words, most programs use insecure functions (like gets) instead of using secure functions (like gets_s), leaving themselves vulnerable to all sorts of buffer overflows? I wonder if microsoft doesn't silently convert gets calls to gets_s calls, then, and maybe didn't document that?
Otherwise I assume there would be thousands of buffer overflows that (malicious) people would exploit.
I understand that most programs dont use either of those functions, but there are others that are used by nearly every program that ms deprecated in favor of secure versions.
wine is not using gets() at all, insofar there is no risk from it. It would be quite hard to convert gets -> gets_s by magic ;)
Ciao, Marcus