Unsecured API functions
Tom Spear
speeddymon at gmail.com
Thu May 3 16:16:31 CDT 2007
On 5/3/07, Robert Shearman <rob at codeweavers.com> wrote:
> Tom Spear wrote:
> > I was writing up a Hello World with input program for a demonstration
> > for a non-developer coworker last week, and used the unsecured getch()
> > and got the standard warning about how it was unsecured and dangerous
> > to use that. That prompted me to look up the basic secured functions
> > on the MS website, and compare to wine code. According to MSDN,
> > things like gets have been replaced with gets_s. However, as far as I
> > can tell, wine still only implements gets for Windows programs to
> > use.. Do we implement secured versions of other functions, and if
> > not, how come?
>
> Q: Why doesn't Wine implement X?
> A: Because not many programs use it and no-one has felt interested in
> implementing it for fun.
So in other words, most programs use insecure functions (like gets)
instead of using secure functions (like gets_s), leaving themselves
vulnerable to all sorts of buffer overflows? I wonder if microsoft
doesn't silently convert gets calls to gets_s calls, then, and maybe
didn't document that?
Otherwise I assume there would be thousands of buffer overflows that
(malicious) people would exploit.
I understand that most programs dont use either of those functions,
but there are others that are used by nearly every program that ms
deprecated in favor of secure versions.
--
Thanks
Tom
Check out this new 3D Instant Messenger called IMVU. It's the best I
have seen yet!
http://imvu.com/catalog/web_invitation.php?userId=1547373&from=power-email
More information about the wine-devel
mailing list