lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> The difference is that clients linking to libc will get the warning not to
> use it, but scripts written in Lua won't.  I realize straight ANSI C
> portability is one of Lua's goals, but it would be very nice if Lua did the
> right thing automatically by preventing someone from writing a script that
> makes insecure use of /tmp...  Either by using mkstemp() where available,
> or at least by putting out the same warning when someone calls tmpnam().

IIRC from looking at the glibc source code, on Linux tmpnam() is
reasonably safe, because when available it uses /dev/urandom to
generate the file name. But I agree, in general it is dangerous and at
least a warning would be nice.

- Christian