Bug#744817: clang-3.5: scan-build: insecure use of /tmp

Jakub Wilk jwilk at debian.org
Sat Apr 26 22:05:05 UTC 2014


* Sylvestre Ledru <sylvestre at debian.org>, 2014-04-15, 14:30:
>>1) The directory name is easily predictable:
>>
>> if (!defined $Dir) {
>>   $Dir = $ENV{'TMPDIR'} || $ENV{'TEMP'} || $ENV{'TMP'} || "/tmp";
>>   $TmpMode = 1;
>> }
>> # [...]
>> my $TimeString = sprintf("%02d%02d%02d", $hour, $min, $sec);
>> my $DateString = sprintf("%d-%02d-%02d-%s-$$",
>>                          $year, $month, $day, $TimeString);
>> # [...]
>> if ($TmpMode) {
>>   $NewDir = "$Dir/$Prog-$DateString-$RunNumber";
>> }
>For this issue, adding a random number at the end would fix the issue, 
>right?

If it's sufficiently random, yeah. But I'd strongly recommend that we 
throw away most of this logic, and use the tempdir() from the File::Temp 
module instead.

-- 
Jakub Wilk



More information about the Pkg-llvm-team mailing list