Re: Perl's alleged tempfile vulnerabilities

From: Tom Christiansen (tchristat_private)
Date: Mon Feb 07 2000 - 05:56:37 PST

Next message: Vitek, Ian: "Infosec.20000207.axis700.a"

Previous message: Henrik Nordstrom: "Re: Fwd: CERT Advisory CA-2000-02"
Maybe in reply to: Tom Christiansen: "Perl's alleged tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Both sfio97 and sfio98 have (except for one teensy change) the same
>sftmp.c. sftmp.c has this file creation code:
>
[randomization stuff deleted]
>
>  if((fd = open(file,O_RDWR|O_CREAT|O_EXCL|O_TEMPORARY,SF_CREATMODE)) >= 0)

Thanks for that sniplet!

The real problems as I perceive them are the following, ranked
by seriousness:

 1) ISSUE:  People think that open(TMP, ">/tmp/foo.$$") is fine.

    FIX:    Point out in the perlfunc/open doc that this is not
            secure, especially in directories anyone can delete
            anything from.  Refer readers to a new section in the
            perlsec manpage on secure Perl programming that would
            cover diverse non-trivial and non-obvious tmpfile issues.


 2) ISSUE:  By relying upon native semantics for tmpfile and tmpnam
            (and making them more than somewhat hard-to-find), Perl
            is at the mercy of each platform's peculiar problems.
            For example, on SunOS and SysVr3-derived code, tmpfile
            appears to use fopen(path, "w+"), which is problematic.

    FIX:    We should include in Perl implementations for these
            routines whose provenance we can guarantee, irrespective
            of platform.  That way we *know* what we're getting.
            This is like the matter of using our own globbing code
            instead of calling out to a native executable.  The
            fixes suggested for issue #1 should satisfy the "hard
            to find" part here.


 3) ISSUE:  There exists no standard equivalent in Perl to the libc
            functions mktemp(3), mkstemp(3), mkstemps(3), or
            mkdtemp(3).  These functions all receive as an argument
	    a mutable template string, thus permitting the program
	    to specify the directory in which the temp files shall
	    occur, and the general format of their names.

    FIX:    Add some or all of these templatizing functions to the
            standard Perl distribution.  Define tmpfile() in terms
            of mkstemp(), with an unlink().  These can all go in
            one module, not scattered about as IO::File::tmpfile()
            and POSIX::tmpnam() currently are.  Although there is
            a CPAN module for some of this, that module is buggy.
            Include doc fixes per issue #1.

--tom

Next message: Vitek, Ian: "Infosec.20000207.axis700.a"
Previous message: Henrik Nordstrom: "Re: Fwd: CERT Advisory CA-2000-02"
Maybe in reply to: Tom Christiansen: "Perl's alleged tempfile vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:41 PDT