| Anonymous | Login | Signup for a new account | 2013-05-21 09:34 CEST |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
| 0004797 | OCaml | OCaml general | public | 2009-05-19 21:35 | 2012-09-17 14:07 | ||||||
| Reporter | avsm | ||||||||||
| Assigned To | meyer | ||||||||||
| Priority | normal | Severity | minor | Reproducibility | always | ||||||
| Status | assigned | Resolution | open | ||||||||
| Platform | OS | OS Version | |||||||||
| Product Version | 3.11.0 | ||||||||||
| Target Version | 4.01.0+dev | Fixed in Version | |||||||||
| Summary | 0004797: insecure temp file handling in yacc | ||||||||||
| Description | We have a patch in the OpenBSD OCaml port to use mkstemp(3) instead of mktemp(3), to avoid insecure temporary file creation. mkstemp(3) is fairly widespread these days. but our patch is guarded by a #define(__OPENBSD__) which probably needs to be replaced with something better. http://www.openbsd.org/cgi-bin/cvsweb/ports/lang/ocaml/patches/patch-yacc_main_c?rev=1.5 [^] --- yacc/main.c.orig Mon Jan 23 17:38:43 2006 +++ yacc/main.c Tue May 2 11:34:56 2006 @@ -55,6 +55,14 @@ char *text_file_name; char *union_file_name; char *verbose_file_name; +#if defined(__OpenBSD__) +#define HAVE_MKSTEMP +#endif + +#ifdef HAVE_MKSTEMP +int action_fd = -1, entry_fd = -1, text_fd = -1, union_fd = -1; +#endif + FILE *action_file; /* a temp file, used to save actions associated */ /* with rules until the parser is written */ FILE *entry_file; @@ -93,16 +101,29 @@ char *rassoc; short **derives; char *nullable; +#if !defined(HAVE_MKSTEMP) extern char *mktemp(char *); +#endif extern char *getenv(const char *); void done(int k) { +#ifdef HAVE_MKSTEMP + if (action_fd != -1) + unlink(action_file_name); + if (entry_fd != -1) + unlink(entry_file_name); + if (text_fd != -1) + unlink(text_file_name); + if (union_fd != -1) + unlink(union_file_name); +#else if (action_file) { fclose(action_file); unlink(action_file_name); } if (entry_file) { fclose(entry_file); unlink(entry_file_name); } if (text_file) { fclose(text_file); unlink(text_file_name); } if (union_file) { fclose(union_file); unlink(union_file_name); } +#endif if (output_file && k > 0) { fclose(output_file); unlink(output_file_name); } @@ -302,11 +323,26 @@ void create_file_names(void) union_file_name[len + 5] = 'u'; #ifndef NO_UNIX +#ifdef HAVE_MKSTEMP + action_fd = mkstemp(action_file_name); + if (action_fd == -1) + open_error(action_file_name); + entry_fd = mkstemp(entry_file_name); + if (entry_fd == -1) + open_error(entry_file_name); + text_fd = mkstemp(text_file_name); + if (text_fd == -1) + open_error(text_file_name); + union_fd = mkstemp(union_file_name); + if (union_fd == -1) + open_error(union_file_name); +#else mktemp(action_file_name); mktemp(entry_file_name); mktemp(text_file_name); mktemp(union_file_name); #endif +#endif len = strlen(file_prefix); @@ -347,15 +383,27 @@ void open_files(void) open_error(input_file_name); } +#ifdef HAVE_MKSTEMP + action_file = fdopen(action_fd, "w"); +#else action_file = fopen(action_file_name, "w"); +#endif if (action_file == 0) open_error(action_file_name); +#ifdef HAVE_MKSTEMP + entry_file = fdopen(entry_fd, "w"); +#else entry_file = fopen(entry_file_name, "w"); +#endif if (entry_file == 0) open_error(entry_file_name); +#ifdef HAVE_MKSTEMP + text_file = fdopen(text_fd, "w"); +#else text_file = fopen(text_file_name, "w"); +#endif if (text_file == 0) open_error(text_file_name); @@ -371,7 +419,11 @@ void open_files(void) defines_file = fopen(defines_file_name, "w"); if (defines_file == 0) open_error(defines_file_name); +#ifdef HAVE_MKSTEMP + union_file = fdopen(union_fd, "w"); +#else union_file = fopen(union_file_name, "w"); +#endif if (union_file == 0) open_error(union_file_name); } | ||||||||||
| Tags | No tags attached. | ||||||||||
| Attached Files | |||||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0008089) doligez (manager) 2012-09-17 14:07 |
Note that you shouldn't be running ocamlyacc (or any of the OCaml tools, really) in an insecure environment anyway. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-05-19 21:35 | avsm | New Issue | |
| 2009-05-20 14:10 | doligez | Status | new => acknowledged |
| 2012-07-11 14:51 | doligez | Target Version | => 4.01.0+dev |
| 2012-07-31 13:36 | doligez | Target Version | 4.01.0+dev => 4.00.1+dev |
| 2012-09-02 15:26 | meyer | Assigned To | => meyer |
| 2012-09-02 15:26 | meyer | Status | acknowledged => assigned |
| 2012-09-17 14:07 | doligez | Note Added: 0008089 | |
| 2012-09-17 14:07 | doligez | Target Version | 4.00.1+dev => 4.01.0+dev |
|
Issue History |
| Copyright © 2000 - 2011 MantisBT Group |
 |