develooper Front page | perl.perl5.porters | Postings from December 2000

[ID 20001214.003] [PATCH bleadperl] POSIX::tmpnam() is dangerous

Thread Next
From:
Dominic Dunlop
Date:
December 14, 2000 01:53
Subject:
[ID 20001214.003] [PATCH bleadperl] POSIX::tmpnam() is dangerous
Message ID:
p04320407b65e3f4853aa@[192.168.1.4]
This is a bug report for perl from domo@ppp100.ip.lu,
generated with the help of perlbug 1.32 running under perl v5.7.0.


-----------------------------------------------------------------
[Please enter your report here]

Edward Avis <epa98@doc.ic.ac.uk> writes to comp.lang.perl.moderated in
article <xn9g0jsmv2f.fsf@texel04.doc.ic.ac.uk>:
>  I noticed a security hole in GNU ed(1) caused by using tmpnam() to
>  generate a name for a temporary file, and then opening this file.  If
>  an attacker can guess the name, he can try to symlink from that name
>  between when the name is generated and the open() call, thus tricking
>  ed into opening the wrong file if he wins the race.  The manual page
>  for glibc's tmpnam() warns:
>
>  >Never use this function. Use mkstemp(3) instead.
>
>  Perl's POSIX module provides tmpnam() which must, in principle, suffer
>  from the same problem.  It's a bad idea to generate a filename in /tmp
>  and then try to open it later.  But tmpnam() seems to be the standard
>  thing that beginners are encouraged to use.  I know I have been using
>  it all the time up until now.
>
>  A better alternative is IO::File::new_tmpfile() which seems to be
>  implemented in terms of PerlIO_tmpfile() or tmpfile() in the C
>  library... which is probably secure.  At least, glibc doesn't
>  explicitly tell you not to use tmpfile(), although mkstemp() is the
>  recommended thing to use.
>
>  Then there is the File::Temp module which seems to have a whole range
>  of checks to make sure your temporary files are secure.  This looks
>  like the one to use, assuming it has been implemented correctly.  But
>  it's not included in perl-5.6.0.
>
>  I feel that POSIX::tmpnam() should generate a warning at the very
>  least, and that the docs should tell you not to use it.  It would
>  probably also be a good idea to include File::Temp in the standard
>  distribution and make that the 'official' way to generate a temporary
>  filehandle (and filename, if you really need the name).
>
>  Comments?

Good points.  It sees that File::Temp will be in the next release of
Perl that follows on from the 5.7.0 development track; whether it will
be in the next maintenance release of 5.6.0 is more doubtful, as
the job of maintenance is to fix problems, not add functionality.

As to the documentation, here's a patch against development Perl.  It
won't apply to 5.6.0.  Let me know if you want a version which does.

--- perl@8102/ext/POSIX/POSIX.pod~	Tue Dec 12 03:30:13 2000
+++ perl@8102/ext/POSIX/POSIX.pod	Thu Dec 14 09:55:19 2000
@@ -1438,7 +1438,9 @@

  	$tmpfile = POSIX::tmpnam();

-See also L<File::Temp>.
+For security reasons, which are probably detailed in your system's
+documentation for the C library tmpnam() function, this interface
+should not be used; instead see L<File::Temp>.

  =item tolower


[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
     category=library
     severity=low
---
Site configuration information for perl v5.7.0:

Configured by domo at Tue Sep  5 16:08:31 WET DST 2000.

Summary of my perl5 (revision 5.0 version 7 subversion 0) configuration:
   Platform:
     osname=machten, osvers=4.1.4, archname=powerpc-machten
     uname='machten ppp100 5 0.5 powerpc '
     config_args='-Doptimize=-g -e'
     hint=recommended, useposix=true, d_sigaction=define
     usethreads=undef use5005threads=undef useithreads=undef 
usemultiplicity=undef
     useperlio=undef d_sfio=undef uselargefiles=define usesocks=undef
     use64bitint=undef use64bitall=undef uselongdouble=undef
   Compiler:
     cc='cc', ccflags ='-DNOTDEF_MACHTEN -DREG_INFTY=2047 -DDEBUGGING 
-I/usr/local/include', optimize='-g', cppflags='-DNOTDEF_MACHTEN 
-DREG_INFTY=2047 -DDEBUGGING -I/usr/local/include'
     ccversion='', gccversion='2.8.1', gccosandvers='machten4'
     intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321
     d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8
     ivtype='long', ivsize=4, nvtype='double', nvsize=8, 
Off_t='off_t', lseeksize=4
     alignbytes=8, usemymalloc=y, prototype=define
   Linker and Libraries:
     ld='ld', ldflags =' -Xlstack=1048576 -L/usr/local/lib'
     libpth=/usr/local/lib /usr/lib
     libs=-lndbm -lgdbm -ldb -lm -lc -lutil
     libc=/usr/lib/libc.a, so=so, useshrplib=false, libperl=libperl.a
   Dynamic Linking:
     dlsrc=dl_none.xs, dlext=none, d_dlsymun=undef, ccdlflags=''
     cccdlflags='', lddlflags=''

Locally applied patches:


---
@INC for perl v5.7.0:
     /usr/local/lib/perl5/5.7.0/powerpc-machten
     /usr/local/lib/perl5/5.7.0
     /usr/local/lib/perl5/site_perl/5.7.0/powerpc-machten
     /usr/local/lib/perl5/site_perl/5.7.0
     /usr/local/lib/perl5/site_perl/5.6.0/powerpc-machten
     /usr/local/lib/perl5/site_perl/5.6.0
     /usr/local/lib/perl5/site_perl
     .

---
Environment for perl v5.7.0:
     HOME=/home/domo
     LANG (unset)
     LANGUAGE (unset)
     LD_LIBRARY_PATH=/usr/lib
     LOGDIR (unset)
 
PATH=/sbin:/usr/sbin:/home/domo/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11/bin:/usr/libexec
     PERL_BADLANG (unset)
     SHELL=/bin/bash


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About