Re: [PATCH] replacement for mktemp and mkstemp code in Src/utils.c

[Clinton Bunch <cdb_zshl@xxxxxxxxxxx>]

Mikael Magnusson wrote:
> On 4/20/19, Matthew Martin <phy1729@xxxxxxxxx> wrote:
> > On Fri, Apr 19, 2019 at 02:54:47PM -0500, Clinton Bunch wrote:
> > > On at least one system mktemp produces very predictable names:
> > >
> > > % () { print File: $1; cat $1 } =(print "Hello World")
> > > File: /tmp/zsh010785
> > > Hello World
> > > % () { print File: $1; cat $1 } =(print "Hello World")
> > > File: /tmp/zsh010785
> > > Hello World
> > > % () { print File: $1; cat $1 } =(print "Hello World")
> > > File: /tmp/zsh010785
> > > Hello World
> > > % echo $$
> > > 10785
> > >
> > > This provides an alternate implementation for generating and opening temp
> > > file names.  I considered only using this implementation on known bad
> > > systems, but I have no way of knowing all of them (or testing for them in
> > > configure).  I see no reason to expect system implementations of mktemp
> > > or
> > > mkstemp to be significantly faster than mine unless written in assembly
> > > (which seems unlikely).
> > I would strongly prefer using the implementation only on known bad
> > systems (or prodding the relevant vendors to fix their system). I don't
> > think speed should be the main consideration here; rather the primary
> > concern should be security. While your patch is certainly better than
> > using the native mktemp on at least one system, it would be worse than
> > the native mktemp on say FreeBSD which uses arc4random_uniform which
> > does not require a user provided seed nor does it have modulo bias.
We still face the problem of determining which systems have broken 
implementations.  I know of one, that doesn't mean there aren't others.
 My implementation could easily be modified to use arc4random_uniform 
on those system on which it is available if that's the primary 
objection.  I'd have used /dev/urandom (at least as a seed) if it were 
available everywhere.
> The commit message is incomplete, it claims that mktemp is insecure on
> one system, therefore it replaces mkstemp, which makes no sense. Is
> mkstemp also insecure on that system, is it not available at all? Do
> we not even attempt to use mkstemp?
>
> Also, please make at least some attempt to use the same coding style
> as the rest of the code base, ie try to use the space bar sometimes.
> (You're not even consistent with yourself in some places).
mkstemp uses the same insecure naming structure.  That is the normal 
case so it seemed redundant to mention it.

Are the code style settings codified anywhere?  The tabs were added by 
Vim's autoident.  A set of options for indent or astyle would make it 
easier for anyone to meet the coding style.