apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@topsail.org>
Subject a security nit
Date Sun, 02 Jun 2002 10:24:50 GMT
Is this warning:

htpasswd.o: In function `main':
/x1/home/chuck/httpd-2.0-nightly/support/htpasswd.c(.text+0xa84): 
warning: tmpnam() possibly used unsafely; consider using mkstemp()

1) the sort of thing to involve apr in, or

2) should I just open()/close() the file before it really gets fopen()ed 
thus:

if((tmp_fd = open(tmp_name, O_RDWR|O_CREAT|O_EXCL, 0600)) < 0)
{
      fprintf(stderr, "tmpfile create failure!\n");
      exit(-1);
}
close(tmp_fd);

which still leaves a narrow timing window of attack but is easily 
portable AFAICS.

3) or just rewrite the thing using open()?

It doesn't seem that big a deal to us so I'd opt for 2) which is at 
least a bit tighter.

Thanks,
Chuck


Mime
View raw message