PHP :: Bug #5744 :: tempnam() possibly used unsafely

Bug #5744	tempnam() possibly used unsafely
Submitted:	2000-07-23 12:12 UTC	Modified:	2000-09-11 18:46 UTC
From:	cahagn_o at epita dot fr	Assigned:	joey (profile)
Status:	Closed	Package:	Compile Warning
PHP Version:	4.0 Latest CVS (23/07/2000)	OS:	NetBSD 1.3.3
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cahagn_o at epita dot fr
New email:
PHP Version:		OS:

New Comment:

[2000-07-23 12:12 UTC] cahagn_o at epita dot fr

Hi,

I already talked about that in php-dev but got no answer. So
I submit this as a bug report.

Since I compile PHP4 Beta1 to latest snapshop (July 23rd),
the final step (when linking php) shows:

file.c:599: warning: tempnam() possibly used unsafely,
consider using
mkstemp()
rfc1867.c:284: warning: tempnam() possibly used unsafely,
consider using
mkstemp()

I don't know if this important in this case, but as I saw
many bugs on Bugtraq with tempnam(), I thought I'd submit it
anyway.

I'm using NetBSD 1.3.3 x86 with gcc-2.7.2.2+myc2 and my
./configure is:

./configure
--with-config-file-path=/space/www/etc/httpd/conf/php_cgi \
            --enable-discard-path \
            --with-gd=/u/guest/www/mbin/i386-NetBSD \
            --with-mysql \
            --with-dbase \
            --with-zlib=/u/guest/www/mbin/i386-NetBSD \
            --with-mcrypt=/u/guest/www/mbin/i386-NetBSD \
            --with-mhash=/u/guest/www/mbin/i386-NetBSD \
            --enable-ftp \
            --enable-inline-optimization \
            --with-jpeg-dir=/u/guest/www/mbin/i386-NetBSD \
            --with-imap=/u/guest/www/mbin/i386-NetBSD/lib

This warning does not happen with a standard RedHat 6.2 with
egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-09-04 20:27 UTC] sniper@php.net

Is this still happening with latest CVS??

--Jani

[2000-09-05 07:25 UTC] cahagn_o at epita dot fr

With snaphost php4-200009050245, reflecting Zeev's security fixes, the warnings changed a bit (the lines are different, that's all):

file.c:595: warning: tempnam() possibly used unsafely, consider using mkstemp()
rfc1867.c:329: warning: tempnam() possibly used unsafely, consider using mkstemp()

[2000-09-06 14:21 UTC] joey@php.net

This will require some kind of major changes.

man mkstemp says:
Don't use this function, use tmpfile(3) instead. It's
better defined and more portable.

The problem is that tmpfile returns a file descriptor
to an already opened file, which is not what is expected
by these portions of code.

[2000-09-10 05:18 UTC] cahagn_o at epita dot fr

I compiled 200009100045 and there're no more warnings,

config.log recongizes mktemp():

configure:6238: checking for mkstemp
configure:6266: gcc -o conftest -g -O2  -I/usr/pkg/include
-L/usr/pkg/lib conft
est.c -lresolv -lm -lcrypt  -lresolv 1>&5

php compiles without warnings and seems to run fine so far.

I tested it because ChangeLog mentioned Zeev had modified
configuration files to check for mkstemp()

However, joey says that it might be possible to use
tmpfile(), so I don't know if this bug should be closed or not.

[2000-09-10 13:38 UTC] joey@php.net

Well, I'm pretty sure Zeev's patch will stand up against
anything /I/ have to say. :)

[2000-09-11 18:46 UTC] stas@php.net

Closed by user request

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 18:01:29 2024 UTC