php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #5744 tempnam() possibly used unsafely
Submitted: 2000-07-23 12:12 UTC Modified: 2000-09-11 18:46 UTC
From: cahagn_o at epita dot fr Assigned: joey (profile)
Status: Closed Package: Compile Warning
PHP Version: 4.0 Latest CVS (23/07/2000) OS: NetBSD 1.3.3
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cahagn_o at epita dot fr
New email:
PHP Version: OS:

 

 [2000-07-23 12:12 UTC] cahagn_o at epita dot fr 
Hi,

I already talked about that in php-dev but got no answer. So
I submit this as a bug report.

Since I compile PHP4 Beta1 to latest snapshop (July 23rd),
the final step (when linking php) shows:

file.c:599: warning: tempnam() possibly used unsafely,
consider using
mkstemp()
rfc1867.c:284: warning: tempnam() possibly used unsafely,
consider using
mkstemp()

I don't know if this important in this case, but as I saw
many bugs on Bugtraq with tempnam(), I thought I'd submit it
anyway.

I'm using NetBSD 1.3.3 x86 with gcc-2.7.2.2+myc2 and my
./configure is:

./configure
--with-config-file-path=/space/www/etc/httpd/conf/php_cgi \
            --enable-discard-path \
            --with-gd=/u/guest/www/mbin/i386-NetBSD \
            --with-mysql \
            --with-dbase \
            --with-zlib=/u/guest/www/mbin/i386-NetBSD \
            --with-mcrypt=/u/guest/www/mbin/i386-NetBSD \
            --with-mhash=/u/guest/www/mbin/i386-NetBSD \
            --enable-ftp \
            --enable-inline-optimization \
            --with-jpeg-dir=/u/guest/www/mbin/i386-NetBSD \
            --with-imap=/u/guest/www/mbin/i386-NetBSD/lib

This warning does not happen with a standard RedHat 6.2 with
egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-09-04 20:27 UTC] sniper@php.net 
Is this still happening with latest CVS??

--Jani
 [2000-09-05 07:25 UTC] cahagn_o at epita dot fr 
With snaphost php4-200009050245, reflecting Zeev's security fixes, the warnings changed a bit (the lines are different, that's all):

file.c:595: warning: tempnam() possibly used unsafely, consider using mkstemp()
rfc1867.c:329: warning: tempnam() possibly used unsafely, consider using mkstemp()
 [2000-09-06 14:21 UTC] joey@php.net 
This will require some kind of major changes.

man mkstemp says:
Don't use this function, use tmpfile(3) instead. It's
better defined and more portable.

The problem is that tmpfile returns a file descriptor
to an already opened file, which is not what is expected
by these portions of code.
 [2000-09-10 05:18 UTC] cahagn_o at epita dot fr 
I compiled 200009100045 and there're no more warnings,

config.log recongizes mktemp():

configure:6238: checking for mkstemp
configure:6266: gcc -o conftest -g -O2  -I/usr/pkg/include
-L/usr/pkg/lib conft
est.c -lresolv -lm -lcrypt  -lresolv 1>&5

php compiles without warnings and seems to run fine so far.

I tested it because ChangeLog mentioned Zeev had modified
configuration files to check for mkstemp()

However, joey says that it might be possible to use
tmpfile(), so I don't know if this bug should be closed or not.
 [2000-09-10 13:38 UTC] joey@php.net 
Well, I'm pretty sure Zeev's patch will stand up against
anything /I/ have to say. :)
 [2000-09-11 18:46 UTC] stas@php.net 
Closed by user request
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 12:01:29 2024 UTC