Unsecured API functions
Marcus Meissner
marcus at jet.franken.de
Thu May 3 16:26:37 CDT 2007
On Thu, May 03, 2007 at 04:16:31PM -0500, Tom Spear wrote:
> On 5/3/07, Robert Shearman <rob at codeweavers.com> wrote:
> >Tom Spear wrote:
> >> I was writing up a Hello World with input program for a demonstration
> >> for a non-developer coworker last week, and used the unsecured getch()
> >> and got the standard warning about how it was unsecured and dangerous
> >> to use that. That prompted me to look up the basic secured functions
> >> on the MS website, and compare to wine code. According to MSDN,
> >> things like gets have been replaced with gets_s. However, as far as I
> >> can tell, wine still only implements gets for Windows programs to
> >> use.. Do we implement secured versions of other functions, and if
> >> not, how come?
> >
> >Q: Why doesn't Wine implement X?
> >A: Because not many programs use it and no-one has felt interested in
> >implementing it for fun.
>
> So in other words, most programs use insecure functions (like gets)
> instead of using secure functions (like gets_s), leaving themselves
> vulnerable to all sorts of buffer overflows? I wonder if microsoft
> doesn't silently convert gets calls to gets_s calls, then, and maybe
> didn't document that?
>
> Otherwise I assume there would be thousands of buffer overflows that
> (malicious) people would exploit.
>
> I understand that most programs dont use either of those functions,
> but there are others that are used by nearly every program that ms
> deprecated in favor of secure versions.
wine is not using gets() at all, insofar there is no risk from it.
It would be quite hard to convert gets -> gets_s by magic ;)
Ciao, Marcus
More information about the wine-devel
mailing list