[13738] in bugtraq
Re: Perl's alleged tempfile vulnerabilities
daemon@ATHENA.MIT.EDU (Tom Christiansen)
Mon Feb 7 18:24:14 2000
Message-Id: <11806.949931797@chthon>
Date: Mon, 7 Feb 2000 06:56:37 -0700
Reply-To: Tom Christiansen <tchrist@CHTHON.PERL.COM>
From: Tom Christiansen <tchrist@CHTHON.PERL.COM>
X-To: Lupe Christoph <lupe@lupe-christoph.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Lupe Christoph <lupe@lupe-christoph.de> of "Sun, 06
Feb 2000 10:35:17 +0100."
<20000206103516.O12877@alanya.lupe-christoph.de>
>Both sfio97 and sfio98 have (except for one teensy change) the same
>sftmp.c. sftmp.c has this file creation code:
>
[randomization stuff deleted]
>
> if((fd = open(file,O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY,SF_CREATMODE)) >= 0)
Thanks for that sniplet!
The real problems as I perceive them are the following, ranked
by seriousness:
1) ISSUE: People think that open(TMP, ">/tmp/foo.$$") is fine.
FIX: Point out in the perlfunc/open doc that this is not
secure, especially in directories anyone can delete
anything from. Refer readers to a new section in the
perlsec manpage on secure Perl programming that would
cover diverse non-trivial and non-obvious tmpfile issues.
2) ISSUE: By relying upon native semantics for tmpfile and tmpnam
(and making them more than somewhat hard-to-find), Perl
is at the mercy of each platform's peculiar problems.
For example, on SunOS and SysVr3-derived code, tmpfile
appears to use fopen(path, "w+"), which is problematic.
FIX: We should include in Perl implementations for these
routines whose provenance we can guarantee, irrespective
of platform. That way we *know* what we're getting.
This is like the matter of using our own globbing code
instead of calling out to a native executable. The
fixes suggested for issue #1 should satisfy the "hard
to find" part here.
3) ISSUE: There exists no standard equivalent in Perl to the libc
functions mktemp(3), mkstemp(3), mkstemps(3), or
mkdtemp(3). These functions all receive as an argument
a mutable template string, thus permitting the program
to specify the directory in which the temp files shall
occur, and the general format of their names.
FIX: Add some or all of these templatizing functions to the
standard Perl distribution. Define tmpfile() in terms
of mkstemp(), with an unlink(). These can all go in
one module, not scattered about as IO::File::tmpfile()
and POSIX::tmpnam() currently are. Although there is
a CPAN module for some of this, that module is buggy.
Include doc fixes per issue #1.
--tom
