KTemporaryFile::createLocalFile()
David Faure
faure at kde.org
Wed Jul 4 23:25:10 BST 2007
On Wednesday 04 July 2007, Oswald Buddenhagen wrote:
> On Wed, Jul 04, 2007 at 09:44:11PM +0200, David Faure wrote:
> > Much better than getting a temp filename and closing the file, which
> > effectively opens it up to symlink attacks
> >
> this doesn't make any sense. by this logic, the command line utilities
> tempfile and mktemp should be immediately banned from use.
Well, no, since tempfile returns an open FILE*, not just a string.
From man tempnam:
NOTES
Although tempnam(3) generates names that are difficult to guess, it is nevertheless possible that between the time that temp‐
nam(3) returns a pathname, and the time that the program opens it, another program might create that pathname using open(2),
or create it as a symbolic link. This can lead to security holes. To avoid such possibilities, use the open(2) O_EXCL flag
to open the pathname. Or better yet, use mkstemp(3) or tmpfile(3).
static QString createLocalFile() is exactly the same API as the bad tempnam: a method that returns a string as opposed to an open file...
> > > K/QTemporaryFile does not provide this functionality directly
> > On purpose.
> i doubt it.
I am 100% sure that Waldo's intent with ktemporaryfile was on purpose,
let's see what the TT guys have to say about QTemporaryFile, but I'm quite
sure they have the same concern.
Why would we bother with such an api if we could just get a temp filename
and then open it the traditional way...
--
David Faure, faure at kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).
More information about the kde-core-devel
mailing list