Since "ns_mktemp" is deprecated (on the C level) and is prone to vulnerabilities. This effects a…
Show more
New API "ad_mktmpdir" and "ad_opentmpfile"Since "ns_mktemp" is deprecated (on the C level) and is proneto vulnerabilities. This effects as well "ad_tmpnam" in OpenACS,which uses "ns_mktemp".Newer C-compilers complain about this more loudly: Due to security concerns inherent in the design of mktemp(3), it is highly recommended that you use mkstemp(3) instead.The security concern is that when ns_mktemp() is used to generate a(unique) file name, which is used for opening a file, an attacker canintercept the running binary and sneak in a different file. Althoughns_mktemp() guarantees to return a unique file name, there is nomechanism to prevent another process or an attacker from creating afile with the same name before the application attempts to open it.The problem with using mkstemp() instead is that it has differentsemantics, since it returns the open file. So one cannot blindlyreplace these calls, but it requires some refactoring. Unfortunately,this also effects application code, since NaviServer offers"ns_mktemp" on the Tcl level.To make it short: one has to separate out different use_cases of"ad_tmpnam":(a) use it to obtain a name for creating a file, which is subsequently opened(b) use it to obtain a name for creating a directory(c) use it as a name, providing name as a unique name to some external programs.Case (a) is similar to the "mkstemp(3)" recommendation above. For thisusage scenario, the call "file tmpfile..." in Tcl 8.6 can be used (butit should also respect the configured tmp directory. This functionis also very similar to "ns_opentempdir" in NaviServer, which usesas well "file tmpfile". Therefore, we have created a new API call"ad_opentmpdir ..." which respects the OpenACS settings.Case (b) can be addressed by "file tempdir" in Tcl 8.7, or by a functionin tcllib. The new API function "ad_mktmpdir" provides respects theOpenACS settings, and works for Tcl 8.6 or newer.Case (c) is somewhat different, since it just wants to create a unique name. This case has not received a special API so far
Show less
