prevent缓冲区溢出与获取 [英] Prevent buffer overflows with gets

问题描述

的声明可获得是：

char * gets ( char * str );

请注意在我忽略的最大尺寸的 STR 的。

Note the glaring omission of a maximum size for str.

cplusplus.com 说^{的 2} ：

注意，得到的是来自与fgets完全不同：不仅让用途
  标准输入源，但它不包括结束换行符
  在生成的字符串，并且不允许以指定的最大尺寸
  对于STR（这可能会导致缓冲区溢出）。

Notice that gets is quite different from fgets: not only gets uses stdin as source, but it does not include the ending newline character in the resulting string and does not allow to specify a maximum size for str (which can lead to buffer overflows).

和也：

最近C标准的修订（2011年）明确了
  取消了它的规格此功能。的功能是
  德precated在C ++中（截至2011年的标准，这是继C99 + TC3）。

The most recent revision of the C standard (2011) has definitively removed this function from its specification. The function is deprecated in C++ (as of 2011 standard, which follows C99+TC3).

现在，当然，与fgets 通常推荐作为替换获得，因为它的声明看起来是这样的

Now, of course, fgets is commonly recommended as a replacement of gets, because its declaration looks like this:

char * fgets ( char * str, int num, FILE * stream );

据 DOES 的拍摄尺寸参数。这使得它比更安全可获得。

It DOES take a size parameter. This makes it much safer than gets.

现在因为我不是愿意掏出钱来下载或购买 C11标准，任何人都可以摆脱对德precating的原因一些轻获得键，这是什么意思为未来的code？为什么它在同一个地方存在，当与fgets 更安全？为什么它的现在才的是德precated？

Now since I'm not willing to shell out money to download or buy the C11 standard, can anyone shed some light on the reason for deprecating gets and what it means for future code? Why did it exist in the same place when fgets is safer? And why is it only just now being deprecated?

推荐答案

获得是德precated，因为它是不安全的，因为你已经报价，它可能会导致缓冲区溢出。如需更换，C11提供了一种替代 gets_s 有这样的签名：

gets is deprecated because it's unsafe, as what you already quoted, it may cause buffer overflow. For replacement, C11 provides an alternative gets_s with a signature like this:

char *gets_s(char *s, rsize_t n);

需要注意的是C11还是建议与fgets 来代替获得。

无论放在获得标准是摆在首位争议，但委员会决定，获得是有益的当程序员确实有在输入适当的控制。

Whether putting gets in the standard is controversial in the first place, but the Committee decided that gets was useful when the programmer does have adequate control over the input.

下面是该委员会的官方解释。

Here's the official explanation by the Committee.

由于获得不检查缓冲区溢出，这是一般不安全时，其输入不是程序员的控制下使用。这已经引起了一些质疑是否应该出现在标准可言。委员会决定，获得当程序员确实有在输入适当控制在那些特殊情况下有用和方便，并作为长期的现行做法，它需要一个标准规范。一般情况下，然而，preferred功能与fgets （见§7.19.7.2）。

Rationale for International Standard - Programming Languages C §7.19.7.7 The gets function:

Because gets does not check for buffer overrun, it is generally unsafe to use when its input is not under the programmer’s control. This has caused some to question whether it should appear in the Standard at all. The Committee decided that gets was useful and convenient in those special circumstances when the programmer does have adequate control over the input, and as longstanding existing practice, it needed a standard specification. In general, however, the preferred function is fgets (see §7.19.7.2).

这篇关于prevent缓冲区溢出与获取的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！