[TUHS] [COFF] Community 'deprecation' of gets(3)

Dan Cross via TUHS tuhs at tuhs.org
Thu May 21 23:09:02 AEST 2026 

On Wed, May 20, 2026 at 11:04 PM Alexis via COFF <coff at tuhs.org> wrote:
> Wasn't entirely sure whether this would be appropriate for TUHS,
> so erring on the side of caution and posting here. :-) If it _is_
> appropriate, please loop TUHS in on any replies.

[I think this is perfectly acceptable for TUHS; Cc'ed there]

> At what point did the use of gets(3) become 'deprecated' by the C
> / Unix / whatever communities, for security and general buginess
> reasons? In the sense that there was a general consensus that it
> shouldn't be used, particularly due to the security implications,
> despite still being permitted by specs?

I don't know when people first started thinking about it, but after
the November 1988 Morris Internet worm, it was generally understood
that it was a bad idea to use `gets()`, particularly in programs that
were exposed to untrusted input. Especially if those were privileged.

Levy's, "Smashing the Stack for Fun and Profit" appeared in Phrack 8
years later, in November 1996, and opened the flood gates for a whole
slew of buffer overrun bugs turned into security exploits. The bulk of
those took a couple of years to address, with new variations on the
theme seemingly discovered every few months: it wasn't just `gets()`,
but `strcpy`/`strcat`, `sprintf`, `printf(buf)` (e.g., without a
format string), and so on, leading to a flurry of activity to try and
introduce safe(r) string operations into C. After that, people who
hadn't before got the message: "gets() is dangerous; don't use it"
along with a few other best practices ("always use an explicit format
string for `printf` etc).

Incidentally, `snprintf` came around that time, and a lot of buggy
code was written to try and use `strncpy` and `strncat`; eventually we
got `strlcpy` and `strlcat`, which the world seems to have mostly
settled on: those are in POSIX now.

The long tail of all of that is still with us, though, and new issues
of that class are introduced regularly; sigh.

> gets(3) was:
>
> * included in Issue 1, but i can't find an online copy of that (or
>   of Issue 1 of the SVID)[a];
> * deprecated in C99, removed in C11; and
> * obsoleted by POSIX Issue 7 / .1-2008.

Personally, I am amazed it remained in the C standard and POSIX for as
long as it did.

        - Dan C.

More information about the TUHS mailing list