Unsecured API functions
speeddymon at gmail.com
Thu May 3 16:16:31 CDT 2007
On 5/3/07, Robert Shearman <rob at codeweavers.com> wrote:
> Tom Spear wrote:
> > I was writing up a Hello World with input program for a demonstration
> > for a non-developer coworker last week, and used the unsecured getch()
> > and got the standard warning about how it was unsecured and dangerous
> > to use that. That prompted me to look up the basic secured functions
> > on the MS website, and compare to wine code. According to MSDN,
> > things like gets have been replaced with gets_s. However, as far as I
> > can tell, wine still only implements gets for Windows programs to
> > use.. Do we implement secured versions of other functions, and if
> > not, how come?
> Q: Why doesn't Wine implement X?
> A: Because not many programs use it and no-one has felt interested in
> implementing it for fun.
So in other words, most programs use insecure functions (like gets)
instead of using secure functions (like gets_s), leaving themselves
vulnerable to all sorts of buffer overflows? I wonder if microsoft
doesn't silently convert gets calls to gets_s calls, then, and maybe
didn't document that?
Otherwise I assume there would be thousands of buffer overflows that
(malicious) people would exploit.
I understand that most programs dont use either of those functions,
but there are others that are used by nearly every program that ms
deprecated in favor of secure versions.
Check out this new 3D Instant Messenger called IMVU. It's the best I
have seen yet!
More information about the wine-devel