On Thu, May 03, 2007 at 04:16:31PM -0500, Tom Spear wrote: > On 5/3/07, Robert Shearman <[EMAIL PROTECTED]> wrote: > >Tom Spear wrote: > >> I was writing up a Hello World with input program for a demonstration > >> for a non-developer coworker last week, and used the unsecured getch() > >> and got the standard warning about how it was unsecured and dangerous > >> to use that. That prompted me to look up the basic secured functions > >> on the MS website, and compare to wine code. According to MSDN, > >> things like gets have been replaced with gets_s. However, as far as I > >> can tell, wine still only implements gets for Windows programs to > >> use.. Do we implement secured versions of other functions, and if > >> not, how come? > > > >Q: Why doesn't Wine implement X? > >A: Because not many programs use it and no-one has felt interested in > >implementing it for fun. > > So in other words, most programs use insecure functions (like gets) > instead of using secure functions (like gets_s), leaving themselves > vulnerable to all sorts of buffer overflows? I wonder if microsoft > doesn't silently convert gets calls to gets_s calls, then, and maybe > didn't document that? > > Otherwise I assume there would be thousands of buffer overflows that > (malicious) people would exploit. > > I understand that most programs dont use either of those functions, > but there are others that are used by nearly every program that ms > deprecated in favor of secure versions.
wine is not using gets() at all, insofar there is no risk from it. It would be quite hard to convert gets -> gets_s by magic ;) Ciao, Marcus
