Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] replacement for mktemp and mkstemp code in Src/utils.c



On 4/20/19, Clinton Bunch <cdb_zshl@xxxxxxxxxxx> wrote:
> Mikael Magnusson wrote:
>> On 4/20/19, Matthew Martin <phy1729@xxxxxxxxx> wrote:
>>> On Fri, Apr 19, 2019 at 02:54:47PM -0500, Clinton Bunch wrote:
>>>> On at least one system mktemp produces very predictable names:
>>>>
>>>> % () { print File: $1; cat $1 } =(print "Hello World")
>>>> File: /tmp/zsh010785
>>>> Hello World
>>>> % () { print File: $1; cat $1 } =(print "Hello World")
>>>> File: /tmp/zsh010785
>>>> Hello World
>>>> % () { print File: $1; cat $1 } =(print "Hello World")
>>>> File: /tmp/zsh010785
>>>> Hello World
>>>> % echo $$
>>>> 10785
>>>>
>>>> This provides an alternate implementation for generating and opening
>>>> temp
>>>> file names.  I considered only using this implementation on known bad
>>>> systems, but I have no way of knowing all of them (or testing for them
>>>> in
>>>> configure).  I see no reason to expect system implementations of mktemp
>>>> or
>>>> mkstemp to be significantly faster than mine unless written in assembly
>>>> (which seems unlikely).
>>> I would strongly prefer using the implementation only on known bad
>>> systems (or prodding the relevant vendors to fix their system). I don't
>>> think speed should be the main consideration here; rather the primary
>>> concern should be security. While your patch is certainly better than
>>> using the native mktemp on at least one system, it would be worse than
>>> the native mktemp on say FreeBSD which uses arc4random_uniform which
>>> does not require a user provided seed nor does it have modulo bias.
> We still face the problem of determining which systems have broken
> implementations.  I know of one, that doesn't mean there aren't others.
>   My implementation could easily be modified to use arc4random_uniform
> on those system on which it is available if that's the primary
> objection.  I'd have used /dev/urandom (at least as a seed) if it were
> available everywhere.
>> The commit message is incomplete, it claims that mktemp is insecure on
>> one system, therefore it replaces mkstemp, which makes no sense. Is
>> mkstemp also insecure on that system, is it not available at all? Do
>> we not even attempt to use mkstemp?
>>
>> Also, please make at least some attempt to use the same coding style
>> as the rest of the code base, ie try to use the space bar sometimes.
>> (You're not even consistent with yourself in some places).
>>
> mkstemp uses the same insecure naming structure.  That is the normal
> case so it seemed redundant to mention it.

mkstemp returns an open file descriptor whereas mktemp returns a
string. According to the specification using mkstemp will always
create a new file that didn't exist, and is safe. If an OS
implementation somehow clobbers existing files when you call mkstemp()
then that's very broken and should be immediately fixed. The worst
outcome of the name being predictable is that someone can perform a
DOS attack against you, ie preventing you from creating a file, but
they won't gain control of any created files.

> Are the code style settings codified anywhere?  The tabs were added by
> Vim's autoident.  A set of options for indent or astyle would make it
> easier for anyone to meet the coding style.

Yeah, Etc/zsh-development-guide. It doesn't explicitly mention that
you should put spaces around operators, but you should do that too.
Ie, these lines
 +ztempfile(char *template,int slen,enum zmt_action action, int *fd)
 +       int padlen=0,r,i,len,success=0,failure=0,attempts=0;
and others
should look like this
 +ztempfile(char *template, int slen, enum zmt_action action, int *fd)
 +       int r, i, len;
 +       int padlen = 0, success = 0, failure = 0, attempts = 0;

-- 
Mikael Magnusson



Messages sorted by: Reverse Date, Date, Thread, Author