Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] replacement for mktemp and mkstemp code in Src/utils.c



On Fri, Apr 19, 2019 at 02:54:47PM -0500, Clinton Bunch wrote:
> On at least one system mktemp produces very predictable names:
> 
> % () { print File: $1; cat $1 } =(print "Hello World")
> File: /tmp/zsh010785
> Hello World
> % () { print File: $1; cat $1 } =(print "Hello World")
> File: /tmp/zsh010785
> Hello World
> % () { print File: $1; cat $1 } =(print "Hello World")
> File: /tmp/zsh010785
> Hello World
> % echo $$
> 10785
> 
> This provides an alternate implementation for generating and opening temp
> file names.  I considered only using this implementation on known bad
> systems, but I have no way of knowing all of them (or testing for them in
> configure).  I see no reason to expect system implementations of mktemp or
> mkstemp to be significantly faster than mine unless written in assembly
> (which seems unlikely).

I would strongly prefer using the implementation only on known bad
systems (or prodding the relevant vendors to fix their system). I don't
think speed should be the main consideration here; rather the primary
concern should be security. While your patch is certainly better than
using the native mktemp on at least one system, it would be worse than
the native mktemp on say FreeBSD which uses arc4random_uniform which
does not require a user provided seed nor does it have modulo bias.



Messages sorted by: Reverse Date, Date, Thread, Author