GNOME Bugzilla – Bug 130091
insecure temporary file creation issues
Last modified: 2004-12-22 21:47:04 UTC
I was browsing the nautilus source code and found these: libnautilus-private/nautilus-file-utilities.c, line 343 nautilus_unique_temporary_file_name (void) { const char *prefix = "/tmp/nautilus-temp-file"; char *file_name; static guint count = 1; file_name = g_strdup_printf ("%sXXXXXX", prefix); if (mktemp (file_name) != file_name) { g_free (file_name); file_name = g_strdup_printf ("%s-%d-%d", prefix, count++, getpid ()); } return file_name; } This one in libnautilus-private/nautilus-metafile.c, line 1740 is secure. temp_path = g_strconcat (metafile_path, "XXXXXX", NULL); failed = FALSE; fd = mkstemp (temp_path); if (fd == -1) { failed = TRUE; } This one in src/nautilus-profiler.c, line 287 'snatched defeat from the jaws of victory': dump_file_name = g_strdup ("/tmp/nautilus-profile-log-XXXXXX"); fd = mkstemp (dump_file_name); if (fd != -1) { close (fd); } else { g_free (dump_file_name); dump_file_name = g_strdup_printf ("/tmp/nautilus-profile-log.%d", getpid ()); }
Both of the naut maintainers are on vacation ATM, FWIW. If you can supply a patch to fix the problems, I'm sure they'll look at it as soon as they get back. Thanks.
nautilus_unique_temporary_file_name isn't actually used anywhere, but i changed it to mkstemp anyway. The profile thing i wouldn't worry about, since thats only used by nautilus developers on very few occasions. (I don't even know if the profiler stuff builds anymore.)
As noted in the other report I filed on gnome-vfs (bug 130092) IMHO even places where code like this is not really dangerous, it should be coded correctly or accompanied by a very big warning comment that one should not cut and paste this code. Sorry for only complaining and not fixing the bugs, but I really do not have time and bandwith to get all the source and build it.