Is gets() officially deprecated?

Question

Based on the most recent draft of C++11, C++ refers to ISO/IEC 9899:1999/Cor.3:2007(E) for the definitions of the C library functions (per §1.2[intro.refs]/1).

Based on the most recent draft of C99 TC3, The gets function is obsolescent, and is deprecated. (per §7.26.9/2)

Can I safely say that gets() is deprecated in both C and C++?

Well, the man page says: `Never use gets(). Because it is impossible to tell without knowing the data in advance how many charac‐ters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() Instead.` So, I'd say don't use it regardless of its official status. — Brian Roach, Sep 14 '11 at 22:22
gets() should be used only to teach new programmers about buffer overflow. — fbafelipe, Sep 14 '11 at 22:27
I don't use it, but "dangerous" doesn't sound as strong as "deprecated" in an argument. Many things are dangerous. — Cubbi, Sep 14 '11 at 22:28
@Cubbi: Many things wrongly labelled "dangerous" have both correct and incorrect uses, and the person calling it "dangerous" is imposing their own judgement based on a likelihood of somebody using it in an incorrect way. On the other hand, `gets` has essentially no correct uses; any use of it results in a buggy program. — R.. GitHub STOP HELPING ICE, Sep 14 '11 at 22:30
It throws a linker warning. When's the last time you've seen a linker warning that wasn't really dangerous. — Joshua, Sep 14 '11 at 22:33

score 4 · Answer 1 · answered Sep 14 '11 at 22:31

4

Deprecated means you shouldn't use it and it might be removed in the future. Since both standards say it is deprecated, that means it is deprecated, officially.

answered Sep 14 '11 at 22:31

David Nehme

21,379
8
78
117

R.. GitHub STOP HELPING ICE · Accepted Answer · 2011-09-14T22:53:19.590

3

Does it matter? The only way you can ever use gets is if stdin is known to be attached to a file whose contents you have full control over. This condition is almost impossible to satisfy, especially on multiprocess systems where other processes may modify files asynchronously with respect to your program. Therefore, for all practical purposes, any program using gets has undefined behavior (i.e. there are possible inputs/environmental conditions for which it will have undefined behavior), and in particular UB which is likely to lead to privilege compromise if your program has higher privileges than the provider of the data.

Edit: OK, here's one safe use of gets, about the only one I can think of right off...

if (feof(stdin)) gets(buf);

Of course some buggy implementations (possibly including glibc..?) permit reads even when the EOF indicator is already set for a stream, so....

edited Sep 14 '11 at 22:53

answered Sep 14 '11 at 22:28

R.. GitHub STOP HELPING ICE

208,859
35
376
711

One could argue that input is part of their contract, but I suppose the GIGO approach is long obsolete as well. – Cubbi Sep 14 '11 at 23:18
1

@Cubbi: I make a serious distinction between GIGO and GIUBO. – R.. GitHub STOP HELPING ICE May 10 '13 at 13:23
Lol, is there really any purpose for that "one safe use" you gave? If you know stdin is at EOF, why would you even try to get input from it? – flarn2006 Aug 02 '13 at 01:36
@flarn2006: No, it was largely a cheap shot at the read-past-eof bug. :-) – R.. GitHub STOP HELPING ICE Aug 02 '13 at 01:57

score 1 · Answer 3 · answered Sep 14 '11 at 22:29

Even code which would be broken by the removal of gets() from the library would, after such removal, be less broken than it was before such removal. I suppose it might be necessary for compiler vendors to include it in a "fully-standard compliant" mode, but the number of circumstances where it could safely be used is so vanishingly small that it would probably be reasonable to exclude it from a "normal" build.

score 0 · Answer 4 · answered Aug 02 '13 at 01:35

0

Well it was removed altogether from the C11 standard, so I'd take that as a yes.

answered Aug 02 '13 at 01:35

flarn2006

1,787
15
37

score 0 · Answer 5 · answered Sep 14 '11 at 22:23

0

It's going to be a while until C++11 is implemented everywhere.

Also, most compilers doesn't even fully support C99 yet.

Microsoft's, for instance, does not.

So no, it's not deprecated in both C and C++.

answered Sep 14 '11 at 22:23

brain

2,507
1
13
12

4

It has been deprecated by all sane programmers for ages. It is present in systems for ages, for reasons of backwards compatibility. That doesn't mean you have to use; in fact, you should not use it. As for MS not supporting C99; that would be grounds for deprecating MS compilers, in my book. – Jonathan Leffler Sep 14 '11 at 22:39
@Jonathan: With the minor detail that Visual-C++ is a, well, *C++* compiler; it has no obligations to fully support C99 (yet, I think with C++11 it does). – Xeo Sep 15 '11 at 00:47
Deprecation doesn't necessarily mean modern compilers don't support something. It doesn't even mean they shouldn't—in fact, backwards compatibility is generally seen as a good thing. What it *does* mean is that programmers shouldn't *use* what's been deprecated in new code, and that they're encouraged to remove it from old code. – flarn2006 Dec 13 '15 at 06:29

Is gets() officially deprecated?

5 Answers5

Linked