[metadata]
id = "FIO37-C"
type = "recommendation"
category = "FIO"
number = 37
title = "Do not assume that fgets() or fgetws() returns a nonempty string when successful"
description = """
Errors can occur when incorrect assumptions are made about the type of data
being read. These assumptions may be violated, for example, when binary data has
been read from a file instead of text from a user's terminal or the output of a
process is piped tostdin.(SeeFIO14-C. Understand the difference between text
mode and binary mode with file streams.) On some systems, it may also be
possible to input a null byte (as well as other binary codes) from the keyboard.
Subclause 7.23.7.2 of the C Standard paragraph 3 [ISO/IEC 9899:2024] says, The
wide-character functionfgetws()has the same behavior. Therefore,
iffgets()orfgetws()returns a non-null pointer, it is safe to assume that the
array contains data. However, it is erroneous to assume that the array contains
a nonempty string because the data may contain null characters.
"""
severity = "High"
likelihood = "Probable"
priority = "P18"
level = "L1"
cert_version = "2016 Edition (Wiki)"
last_modified = "May 05, 2025"
[rules.cert_c.FIO37-C]
enabled = true
[references]
wiki = "https://wiki.sei.cmu.edu/confluence/display/c/FIO37-C.+Do+not+assume+that+fgets%28%29+or+fgetws%28%29+returns+a+nonempty+string+when+successful"
cwe = ["CWE-241"]