On 2008-02-01 18:20-0000 Andrew Ross wrote: > On Wed, Jan 30, 2008 at 05:02:46PM -0800, Alan Irwin wrote: >> >> For case (3) some additional warnings occurred for >> bindings/tk/plframe.c:2648 and drivers/tk.c:1453 (repeated more than 100 >> times for some reason) with the message >> >> tmpnam is dangerous, better use mkstemp >> >> Is this large set of warnings easy to fix? > > This is a link-time warning, which is why it only appears with the > statically linked case. > > tmpfile is the best portable way of opening temporary files. It returns > an open file descriptor rather than a file name. This avoids the various > race conditions inherent in tmpnam. We use this elsewhere in plplot. > Unfortunately these two cases are not easily changed. > > plframe.c opens a temporary file, writes to it, then calls an external > print command with the temporary file name. We need the name to do this. > We could use mkstemp in this case, which returns a file descriptor and a > file name, avoiding the race conditions. Unfortunately this is not > portable (windows doesn't have it I believe). I could implement this > through suitable #ifdef's. > > drivers/tk.c uses the temporary file name to open a FIFO pipe. Neither > tmpfile nor mkstemp can do this so I see no alternative to using tmpnam. > Well the alternative is a fixed name, which is even worse to my mind. > > When we use tmpnam we ensure that the file is correctly created and > opened and exit if not so the use should(?) be secure. A denial of > service attack would be possible in theory I suppose. > > Unfortunately a search on the web hasn't shown an easy way of disabling > the warning.
Thanks, Andrew, for your research into this issue. It sounds like the status quo (and living with the resulting warning messages) is the correct course to take unless a better option becomes available in the future. Alan __________________________ Alan W. Irwin Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the FreeEOS equation-of-state implementation for stellar interiors (freeeos.sf.net); PLplot scientific plotting software package (plplot.org); the libLASi project (unifont.org/lasi); the Loads of Linux Links project (loll.sf.net); and the Linux Brochure Project (lbproject.sf.net). __________________________ Linux-powered Science __________________________ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Plplot-devel mailing list Plplot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/plplot-devel
