Bug#744817: clang-3.5: scan-build: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Sat Apr 26 22:05:05 UTC 2014
* Sylvestre Ledru <sylvestre at debian.org>, 2014-04-15, 14:30:
>>1) The directory name is easily predictable:
>>
>> if (!defined $Dir) {
>> $Dir = $ENV{'TMPDIR'} || $ENV{'TEMP'} || $ENV{'TMP'} || "/tmp";
>> $TmpMode = 1;
>> }
>> # [...]
>> my $TimeString = sprintf("%02d%02d%02d", $hour, $min, $sec);
>> my $DateString = sprintf("%d-%02d-%02d-%s-$$",
>> $year, $month, $day, $TimeString);
>> # [...]
>> if ($TmpMode) {
>> $NewDir = "$Dir/$Prog-$DateString-$RunNumber";
>> }
>For this issue, adding a random number at the end would fix the issue,
>right?
If it's sufficiently random, yeah. But I'd strongly recommend that we
throw away most of this logic, and use the tempdir() from the File::Temp
module instead.
--
Jakub Wilk
More information about the Pkg-llvm-team
mailing list