Developing Windows Applications by Mykola Dudar

Helping Developers Build Applications for Windows using Visual Studio.

Deprecation warnings for C Runtime functions when using Visual Studio 2005 Beta 1 or CTP

Deprecation warnings for C Runtime functions when using Visual Studio 2005 Beta 1 or CTP

  • Comments 2

I am constatly being asked same question on and on.

"I have an old code that uses a CRT function and when I build it with VS2005, I get a deprecation warning. What should I do".

Let's say you have a code like this

void foo(char* szA, char* szB) {

   strcpy(szA, szB);

   sprintf(szA,"%s",szB);

}

If you compile this code with VS2005 Beta 1 or CTP, you see a warnings for strcpy and sprintf, which let you know that these functions have been deprecated. A fair questions why they have been deprecated. A short answer, because these are inherently insecure functions that can "help" you to create a code that makes your application vulnerable to buffer overrun type of attacks.

There are two ways to fix this problem. The first one, is to change your code to use the new secure invariants of these functions, which are strcpy_s and sprintf_s. However it may sometime to do these for deprecated CRT functions that you use. So the second way is to use #define _CRT_SECURE_NO_DEPRACATE. This define will make all warnings go away. So if you just what to make your app to build clean with the new VS, this option may works for you. However, I would not recommend you to stay with option for a long time. Go ahead and read about new Security Enhancements in the CRT. I will also try to post more information about this cool feature implemented in VS2005 on my blog. I know that there is a draft of a whitepaper on this topic has been prepared that goes in detail of desing and implementaion of this feature. As soon as I know about this paper, I will publish a link to it.

 

  • How do you deprecate standard C functions? That's just insane...
  • :-) No it is not insane. For example, gets() is a standard C function. However I do not expect a sane developer using this function if his/her code. :-) It is not insanity, it is evolution. And functions that were standartized a long time before security of your code become an issue have to be changed and adopted accordingly to the recent developments in IT.
    As I said before, one can always use /D_CRT_SECURE_NO_DEPRECATE to undeprecate these CRT functions.
    Just FYI, AFAIK we are working with the C Standard committee and listen to their feedback and suggestions. Actually here is the latest draft of this technical report, which I have found just by searching the net
    http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1088.pdf
Page 1 of 1 (2 items)