Gets in ruby

spitfire · December 22, 2006, 9:26am

I’m a newbie in Ruby. And, after a first couple of tutorials, I came
across the function ‘gets’. Being similar to the function in C, I was
wondering if this would expose programs written in Ruby to buffer
overflow
vulnerabilities? Or am I overlooking something here that would
invalidate
such an argument? I mean, does the ‘gets’ in ruby perform bounds
checking?

spitfire · December 22, 2006, 10:10am

On Dec 22, 2006, at 24:25, Spitfire wrote:

I’m a newbie in Ruby. And, after a first couple of tutorials, I came
across the function ‘gets’. Being similar to the function in C, I was
wondering if this would expose programs written in Ruby to buffer
overflow
vulnerabilities?

Ruby’s gets is similar to C’s gets only if you squint really hard.
Likely the biggest problem you’ll come across with gets in ruby is a
stream of bytes with no newline.

Or am I overlooking something here that would invalidate such an
argument? I mean, does the ‘gets’ in ruby perform bounds checking?

All strings in ruby are bounds-checked.

–
Eric H. - [email protected] - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!

spitfire · December 23, 2006, 8:54am

No it will not expose you to buffer overflows. The memory that the
string is going to be put into isn’t even defined yet. The call to
gets ends up defining a chunk of memory big enough, and putting in
the inputted string. Underneath the covers, the C is (supposedly)
coded to not cause buffer overflows.

-Chris