lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, Dec 05, 2002 at 02:15:18PM +0000, lua+Steven.Murdoch@cl.cam.ac.uk wrote:

<snip>

> ../../lib/liblualib.a(liolib.o): In function `io_tmpname':
> liolib.o(.text+0xbc4): the use of `tmpnam' is dangerous, better use
> `mkstemp'
> 
> I think this is connected to the security problems of the tmpnam
> function in file lua-5.0-alpha/src/lib/liolib.c, line 440.
> (http://www.suse.com/us/private/
> support/howto/secprog/secprog3.html#tmpf). It would be a very good
> idea to switch to mkstemp, or if this is non-standard, at least allow
> it as an compile-time option.

Yes - mkstmp is non-ANSI.  tmpnam is dangerous because there are race
conditions resulting in the very very rare occurance of two programs
getting the same filename, IIRC.

Lua already has an option to use popen() which I seem to recall is also
non-ANSI - it would be nice to get rid of one more warning during my
project build. :)

-- 
Rob Kendrick                                       http://www.pepperfish.net/
PGP signed or encrypted mail welcome                         Key ID: 3651D17A