apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@topsail.org>
Subject a security nit
Date Sun, 02 Jun 2002 10:24:50 GMT
Is this warning:

htpasswd.o: In function `main':
warning: tmpnam() possibly used unsafely; consider using mkstemp()

1) the sort of thing to involve apr in, or

2) should I just open()/close() the file before it really gets fopen()ed 

if((tmp_fd = open(tmp_name, O_RDWR|O_CREAT|O_EXCL, 0600)) < 0)
      fprintf(stderr, "tmpfile create failure!\n");

which still leaves a narrow timing window of attack but is easily 
portable AFAICS.

3) or just rewrite the thing using open()?

It doesn't seem that big a deal to us so I'd opt for 2) which is at 
least a bit tighter.


View raw message