From 71675a3908d8bf650dce62d174d33391dbaafd2d Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Sat, 14 Mar 2009 12:14:08 +0000 Subject: [PATCH] * libc/include/stdio.h (_mkstemp_r, _mktemp_r): Move declarations to stdlib.h. * libc/include/stdlib.h (mktemp, _mktemp_r): Warn when using. * libc/stdio/mktemp.c: Explain the security risk when using mktemp. --- newlib/ChangeLog | 8 ++++++++ newlib/libc/include/stdio.h | 2 -- newlib/libc/include/stdlib.h | 4 +++- newlib/libc/stdio/mktemp.c | 7 +++++++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/newlib/ChangeLog b/newlib/ChangeLog index aa135e05f..2c45c6f82 100644 --- a/newlib/ChangeLog +++ b/newlib/ChangeLog @@ -1,3 +1,11 @@ +2009-03-14 Corinna Vinschen + + * libc/include/stdio.h (_mkstemp_r, _mktemp_r): Move declarations + to stdlib.h. + * libc/include/stdlib.h (mktemp, _mktemp_r): Warn when using. + * libc/stdio/mktemp.c: Explain the security risk when using + mktemp. + 2009-03-12 Craig Howland * libc/time/time.tex (wcsftime.def): Include. diff --git a/newlib/libc/include/stdio.h b/newlib/libc/include/stdio.h index fd58a25b3..28e590cfc 100644 --- a/newlib/libc/include/stdio.h +++ b/newlib/libc/include/stdio.h @@ -411,8 +411,6 @@ int _EXFUN(_iprintf_r, (struct _reent *, const char *, ...) _ATTRIBUTE ((__format__ (__printf__, 2, 3)))); int _EXFUN(_iscanf_r, (struct _reent *, const char *, ...) _ATTRIBUTE ((__format__ (__scanf__, 2, 3)))); -int _EXFUN(_mkstemp_r, (struct _reent *, char *)); -char * _EXFUN(_mktemp_r, (struct _reent *, char *)); FILE * _EXFUN(_open_memstream_r, (struct _reent *, char **, size_t *)); void _EXFUN(_perror_r, (struct _reent *, const char *)); int _EXFUN(_printf_r, (struct _reent *, const char *, ...) diff --git a/newlib/libc/include/stdlib.h b/newlib/libc/include/stdlib.h index be4fa448b..a6a6e5083 100644 --- a/newlib/libc/include/stdlib.h +++ b/newlib/libc/include/stdlib.h @@ -98,7 +98,9 @@ size_t _EXFUN(_wcstombs_r,(struct _reent *, char *, const wchar_t *, size_t, _mb #ifndef __STRICT_ANSI__ #ifndef _REENT_ONLY int _EXFUN(mkstemp,(char *)); -char * _EXFUN(mktemp,(char *)); +int _EXFUN(_mkstemp_r, (struct _reent *, char *)); +char * _EXFUN(mktemp,(char *) _ATTRIBUTE ((warning ("the use of `mktemp' is dangerous; use `mkstemp' instead")))); +char * _EXFUN(_mktemp_r, (struct _reent *, char *) _ATTRIBUTE ((warning ("the use of `mktemp' is dangerous; use `mkstemp' instead")))); #endif #endif _VOID _EXFUN(qsort,(_PTR __base, size_t __nmemb, size_t __size, int(*_compar)(const _PTR, const _PTR))); diff --git a/newlib/libc/stdio/mktemp.c b/newlib/libc/stdio/mktemp.c index e00228e15..c4347cd05 100644 --- a/newlib/libc/stdio/mktemp.c +++ b/newlib/libc/stdio/mktemp.c @@ -85,6 +85,13 @@ unless it could not generate an unused filename, or the pattern you provided is not suitable for a filename; in that case, it returns <<-1>>. +NOTES +Never use <>. The generated filenames are easy to guess and +there's a race between the test if the file exists and the creation +of the file. In combination this makes <> prone to attacks +and using it is a security risk. Whenever possible use <> +instead. It doesn't suffer the race condition. + PORTABILITY ANSI C does not require either <> or <>; the System V Interface Definition requires <> as of Issue 2.