Re: Warnings and potential security problem in compilation of Lua5.0-alpha

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Warnings and potential security problem in compilation of Lua5.0-alpha
From: Rob Kendrick <rjek@...>
Date: Thu, 5 Dec 2002 14:23:55 +0000

On Thu, Dec 05, 2002 at 02:15:18PM +0000, lua+Steven.Murdoch@cl.cam.ac.uk wrote:

<snip>

> ../../lib/liblualib.a(liolib.o): In function `io_tmpname':
> liolib.o(.text+0xbc4): the use of `tmpnam' is dangerous, better use
> `mkstemp'
> 
> I think this is connected to the security problems of the tmpnam
> function in file lua-5.0-alpha/src/lib/liolib.c, line 440.
> (http://www.suse.com/us/private/
> support/howto/secprog/secprog3.html#tmpf). It would be a very good
> idea to switch to mkstemp, or if this is non-standard, at least allow
> it as an compile-time option.

Yes - mkstmp is non-ANSI.  tmpnam is dangerous because there are race
conditions resulting in the very very rare occurance of two programs
getting the same filename, IIRC.

Lua already has an option to use popen() which I seem to recall is also
non-ANSI - it would be nice to get rid of one more warning during my
project build. :)

-- 
Rob Kendrick                                       http://www.pepperfish.net/
PGP signed or encrypted mail welcome                         Key ID: 3651D17A

References:
- Warnings and potential security problem in compilation of Lua5.0-alpha, lua+Steven . Murdoch

Prev by Date: Warnings and potential security problem in compilation of Lua5.0-alpha
Next by Date: Re: Warnings and potential security problem in compilation of Lua5.0-alpha
Previous by thread: Warnings and potential security problem in compilation of Lua5.0-alpha
Next by thread: Re: Warnings and potential security problem in compilation of Lua5.0-alpha
Index(es):
- Date
- Thread