On 4/11/19 12:12 AM, Jason A. Donenfeld wrote: > I keep forgetting things. The other thing I wanted to bring up is that > I suspect bash's actual implementation of temporary files is > problematic and might have some of the classic /tmp and TOCTOU style > attacks.
It's a peripheral issue, since the here-document implementation uses a different function that (usually) calls mkstemp. But since this function is used for making non-regular files (named pipes), you pretty much have to use a function that returns a name. If you'd like to take a run at a better implementation, I'd be glad to take a look at it, as long as it's portable. > The first one there uses mktemp(3), which is known to be racy and > insecure. The GNU man page has a pretty strong warning about it. Maybe > that's not used in GNU environments though? Read http://lists.gnu.org/archive/html/bug-bash/2016-05/msg00062.html for a different perspective. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
