When creating a new temporary file name, use mkstemp instead of just
taking a rather predictable path, which could even be a symlink by
a malicious user (granted, that is very unlikely).
Index: file.c
===================================================================
RCS file: /cvs/src/usr.bin/sort/file.c,v
retrieving revision 1.6
diff -u -p -r1.6 file.c
--- file.c 1 Apr 2015 19:06:18 -0000 1.6
+++ file.c 1 Apr 2015 19:48:25 -0000
@@ -167,12 +167,13 @@ file_is_tmp(const char *fn)
char *
new_tmp_file_name(void)
{
- static size_t tfcounter = 0;
- static const char *fn = ".bsdsort.";
char *ret;
+ int fd;
- sort_asprintf(&ret, "%s/%s%d.%lu", tmpdir, fn, (int)getpid(),
- (unsigned long)(tfcounter++));
+ sort_asprintf(&ret, "%s/.bsdsort.XXXXXXXXXX", tmpdir);
+ if ((fd = mkstemp(ret)) == -1)
+ err(2, "%s", ret);
+ close(fd);
tmp_file_atexit(ret);
return ret;
}
