[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Warnings and potential security problem in compilation of Lua5.0-alpha
- From: Rob Kendrick <rjek@...>
- Date: Thu, 5 Dec 2002 14:23:55 +0000
On Thu, Dec 05, 2002 at 02:15:18PM +0000, lua+Steven.Murdoch@cl.cam.ac.uk wrote:
<snip>
> ../../lib/liblualib.a(liolib.o): In function `io_tmpname':
> liolib.o(.text+0xbc4): the use of `tmpnam' is dangerous, better use
> `mkstemp'
>
> I think this is connected to the security problems of the tmpnam
> function in file lua-5.0-alpha/src/lib/liolib.c, line 440.
> (http://www.suse.com/us/private/
> support/howto/secprog/secprog3.html#tmpf). It would be a very good
> idea to switch to mkstemp, or if this is non-standard, at least allow
> it as an compile-time option.
Yes - mkstmp is non-ANSI. tmpnam is dangerous because there are race
conditions resulting in the very very rare occurance of two programs
getting the same filename, IIRC.
Lua already has an option to use popen() which I seem to recall is also
non-ANSI - it would be nice to get rid of one more warning during my
project build. :)
--
Rob Kendrick http://www.pepperfish.net/
PGP signed or encrypted mail welcome Key ID: 3651D17A