php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #5744 tempnam() possibly used unsafely
Submitted: 2000-07-23 12:12 UTC Modified: 2000-09-11 18:46 UTC
From: cahagn_o at epita dot fr Assigned: joey (profile)
Status: Closed Package: Compile Warning
PHP Version: 4.0 Latest CVS (23/07/2000) OS: NetBSD 1.3.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cahagn_o at epita dot fr
New email:
PHP Version: OS:

 

 [2000-07-23 12:12 UTC] cahagn_o at epita dot fr
Hi,

I already talked about that in php-dev but got no answer. So
I submit this as a bug report.

Since I compile PHP4 Beta1 to latest snapshop (July 23rd),
the final step (when linking php) shows:

file.c:599: warning: tempnam() possibly used unsafely,
consider using
mkstemp()
rfc1867.c:284: warning: tempnam() possibly used unsafely,
consider using
mkstemp()

I don't know if this important in this case, but as I saw
many bugs on Bugtraq with tempnam(), I thought I'd submit it
anyway.

I'm using NetBSD 1.3.3 x86 with gcc-2.7.2.2+myc2 and my
./configure is:

./configure
--with-config-file-path=/space/www/etc/httpd/conf/php_cgi \
            --enable-discard-path \
            --with-gd=/u/guest/www/mbin/i386-NetBSD \
            --with-mysql \
            --with-dbase \
            --with-zlib=/u/guest/www/mbin/i386-NetBSD \
            --with-mcrypt=/u/guest/www/mbin/i386-NetBSD \
            --with-mhash=/u/guest/www/mbin/i386-NetBSD \
            --enable-ftp \
            --enable-inline-optimization \
            --with-jpeg-dir=/u/guest/www/mbin/i386-NetBSD \
            --with-imap=/u/guest/www/mbin/i386-NetBSD/lib

This warning does not happen with a standard RedHat 6.2 with
egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-09-04 20:27 UTC] sniper@php.net
Is this still happening with latest CVS??

--Jani
 [2000-09-05 07:25 UTC] cahagn_o at epita dot fr
With snaphost php4-200009050245, reflecting Zeev's security fixes, the warnings changed a bit (the lines are different, that's all):

file.c:595: warning: tempnam() possibly used unsafely, consider using mkstemp()
rfc1867.c:329: warning: tempnam() possibly used unsafely, consider using mkstemp()
 [2000-09-06 14:21 UTC] joey@php.net
This will require some kind of major changes.

man mkstemp says:
Don't use this function, use tmpfile(3) instead. It's
better defined and more portable.

The problem is that tmpfile returns a file descriptor
to an already opened file, which is not what is expected
by these portions of code.
 [2000-09-10 05:18 UTC] cahagn_o at epita dot fr
I compiled 200009100045 and there're no more warnings,

config.log recongizes mktemp():

configure:6238: checking for mkstemp
configure:6266: gcc -o conftest -g -O2  -I/usr/pkg/include
-L/usr/pkg/lib conft
est.c -lresolv -lm -lcrypt  -lresolv 1>&5

php compiles without warnings and seems to run fine so far.

I tested it because ChangeLog mentioned Zeev had modified
configuration files to check for mkstemp()

However, joey says that it might be possible to use
tmpfile(), so I don't know if this bug should be closed or not.


 [2000-09-10 13:38 UTC] joey@php.net
Well, I'm pretty sure Zeev's patch will stand up against
anything /I/ have to say. :)
 [2000-09-11 18:46 UTC] stas@php.net
Closed by user request
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Feb 09 12:05:50 2023 UTC