On 2023-02-18 at 21:56 +0000, Andrea Corallo wrote: > >> + (expand-file-name > >> + (make-temp-file-internal (file-name-sans-extension > >> rel-filename) > >> + 0 ".eln" nil) > >> + temporary-file-directory)))) > > > > Hmm, it seems using make-temp-file-internal with DIR-FLAG=0 which just > > constructs a name and do not create the file like make-temp-name, so > > there is a race condition as Stefan mentioned. Is that really OK? > > Mmhh, Stefan mentioned the case where the tmp file name is predicted. > > Shouldn't make-temp-file-internal return a non predictable file name? > Otherwise what's the point of using make-temp-file in the first place if > the temporary name is predictable?
Imagine if a local attacker creates symlinks as the candidate names before creating the file, though less predictable. make-temp-name describes as follows: > There is a race condition between calling `make-temp-name' and > later creating the file, which opens all kinds of security holes. > For that reason, you should normally use `make-temp-file' instead. To create a temporary file in a secure fashion, use make-temp-file to create a file, or use make-temp-file with DIR-FLAG to create a subdirectory and then create a file in it. Thanks, -- Tatsuya Kinoshita
