Changes to m4/doc/m4.texinfo,v

m4-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Changes to m4/doc/m4.texinfo,v

From:	Eric Blake
Subject:	Changes to m4/doc/m4.texinfo,v
Date:	Thu, 19 Oct 2006 23:13:46 +0000

CVSROOT:        /sources/m4
Module name:    m4
Changes by:     Eric Blake <ericb>      06/10/19 23:13:45

Index: doc/m4.texinfo
===================================================================
RCS file: /sources/m4/m4/doc/m4.texinfo,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -b -r1.67 -r1.68
--- doc/m4.texinfo      19 Oct 2006 16:19:20 -0000      1.67
+++ doc/m4.texinfo      19 Oct 2006 23:13:45 -0000      1.68
@@ -258,7 +258,7 @@
 * Syscmd::                      Executing simple commands
 * Esyscmd::                     Reading the output of commands
 * Sysval::                      Exit status
-* Maketemp::                    Making temporary files
+* Mkstemp::                     Making temporary files
 
 Miscellaneous builtin macros
 
@@ -644,7 +644,7 @@
 format and meaning of @var{RESYNTAX-SPEC}.
 
 @item --safer
-Cripple the builtins @code{maketemp} (@pxref{Maketemp}),
+Cripple the builtins @code{maketemp}, @code{mkstemp} (@pxref{Mkstemp}),
 @code{debugfile} (@pxref{Debugfile}), @code{syscmd} (@pxref{Syscmd}),
 and @code{esyscmd} (@pxref{Esyscmd}), since they can perform potentially
 unsafe actions.  An attempt to use these macros will result in an error.
@@ -5024,7 +5024,7 @@
 * Syscmd::                      Executing simple commands
 * Esyscmd::                     Reading the output of commands
 * Sysval::                      Exit status
-* Maketemp::                    Making temporary files
+* Mkstemp::                     Making temporary files
 @end menu
 
 @node Platform macros
@@ -5158,44 +5158,127 @@
 @result{}0
 @end example
 
address@hidden Maketemp
address@hidden Mkstemp
 @section Making temporary files
 
 @cindex temporary file names
 @cindex files, names of temporary
 Commands specified to @code{syscmd} or @code{esyscmd} might need a
-temporary file, for output or for some other purpose.
+temporary file, for output or for some other purpose.  There is a
+builtin macro, @code{mkstemp}, for making a temporary file:
 
address@hidden {Builtin (m4)} maketemp (@var{template})
-There is a builtin macro, @code{maketemp}, for making temporary file
-names, which expands to a name of a new, empty file, made from the
-string @var{template}, which should end with the string @samp{XXXXXX}.
-The six @code{X}'s are then replaced, usually with something that
-includes the process id of the @code{m4} process, in order to make the
-file name unique.
address@hidden {Builtin (m4)} mkstemp (@var{template})
address@hidden {Builtin (m4)} maketemp (@var{template})
+Expands to a name of a new, empty file, made from the string
address@hidden, which should end with the string @samp{XXXXXX}.  The six
address@hidden characters are then replaced with random characters matching
+the regular expression @samp{[a-zA-Z0-9._-]}, in order to make the file
+name unique.  If fewer than six @samp{X} characters are found at the end
+of @code{template}, the result will be longer than the template.  The
+created file will have access permissions as if by @kbd{chmod =rw,go=},
+meaning that the current umask of the @code{m4} process is taken into
+account, and at most only the current user can read and write the file.
+
+The traditional behavior, standardized by @acronym{POSIX}, is that
address@hidden merely replaces the trailing @samp{X} with the process
+id, without creating a file, and without ensuring that the resulting
+string is a unique file name.  In part, this means that using the same
address@hidden twice in the same input file will result in the same
+expansion.  This behavior is a security hole, as it is very easy for
+another process to guess the name that will be generated, and thus
+interfere with a subsequent use of @code{syscmd} trying to manipulate
+that file name.  Hence, @acronym{POSIX} has recommended that all new
+implementations of @code{m4} provide the secure @code{mkstemp} builtin,
+and that users of @code{m4} check for its existence.
+
+The expansion is void and an error issued if a temporary file could
+not be created.
+
+When the @option{--safer} option (@pxref{Operation modes, Invoking m4})
+is in effect, @code{mkstemp} and @acronym{GNU}-mode @code{maketemp}
+result in an error, since otherwise an input file could perform a mild
+denial-of-service attack by filling up a disk with multiple empty files.
+
+The macros @code{mkstemp} and @code{maketemp} are recognized only with
+parameters.
address@hidden deffn
+
+If you try this next example, you will most likely get different output
+for the two file names, since the replacement characters are randomly
+chosen:
 
 @comment ignore
 @example
+$ @kbd{m4}
 maketemp(`/tmp/fooXXXXXX')
address@hidden:stdin:1: Warning: maketemp: recommend using mkstemp instead
 @result{}/tmp/fooa07346
+ifdef(`mkstemp', `define(`maketemp', defn(`mkstemp'))',
+      `define(`mkstemp', defn(`maketemp'))dnl
+errprint(`warning: potentially insecure maketemp implementation
+')')
address@hidden
+mkstemp(`doc')
address@hidden
 @end example
 
-When the @option{--safer} option (@pxref{Operation modes, Invoking m4})
-is in effect, @code{maketemp} results in an error, since otherwise an
-input file could perform a mild denial-of-service attack by filling up a
-disk with multiple empty files.
-
-The builtin macro @code{maketemp} is recognized only when given
-arguments.
address@hidden deffn
-
 @comment options: --safer
 @comment status: 1
 @example
 $ @kbd{m4 --safer}
 maketemp(`/tmp/fooXXXXXX')
address@hidden:stdin:1: Warning: maketemp: recommend using mkstemp instead
 @error{}m4:stdin:1: maketemp: disabled by --safer
 @result{}
+mkstemp(`/tmp/fooXXXXXX')
address@hidden:stdin:2: mkstemp: disabled by --safer
address@hidden
address@hidden example
+
address@hidden @acronym{GNU} extensions
+Unless you use the @option{--traditional} command line option (or
address@hidden, @pxref{Limits control, , Invoking m4}), the @acronym{GNU}
+version of @code{maketemp} is secure.  This means that using the same
+template to multiple calls will generate multiple files.  However, we
+recommend that you use the new @code{mkstemp} macro, introduced in
address@hidden M4 1.4.8, which is secure even in traditional mode.
+
address@hidden
+$ @kbd{m4}
+syscmd(`echo foo??????')dnl
address@hidden
+define(`file1', maketemp(`fooXXXXXX'))dnl
address@hidden:stdin:2: Warning: maketemp: recommend using mkstemp instead
+ifelse(esyscmd(`echo foo??????'), `foo??????', `no file', `created')
address@hidden
+define(`file2', maketemp(`fooXX'))dnl
address@hidden:stdin:4: Warning: maketemp: recommend using mkstemp instead
+define(`file3', mkstemp(`fooXXXXXX'))dnl
+ifelse(len(file1), len(file2), `same length', `different')
address@hidden length
+ifelse(file1, file2, `same', `different file')
address@hidden file
+ifelse(file2, file3, `same', `different file')
address@hidden file
+ifelse(file1, file3, `same', `different file')
address@hidden file
+syscmd(`rm 'file1 file2 file3)
address@hidden
+sysval
address@hidden
address@hidden example
+
address@hidden options: -G
address@hidden
+$ @kbd{m4 -G}
+define(`file1', maketemp(`fooXXXXXX'))dnl
address@hidden:stdin:1: Warning: maketemp: recommend using mkstemp instead
+define(`file2', maketemp(`fooXXXXXX'))dnl
address@hidden:stdin:2: Warning: maketemp: recommend using mkstemp instead
+ifelse(file1, file2, `same', `different file')
address@hidden
+syscmd(`echo foo??????')dnl
address@hidden
 @end example
 
 @node Miscellaneous
@@ -5591,7 +5674,7 @@
 @cindex GNU extensions
 @cindex @acronym{POSIX}
 @cindex @env{POSIXLY_CORRECT}
-This version of @code{m4} contains a few facilities, that do not exist
+This version of @code{m4} contains a few facilities that do not exist
 in System V @code{m4}.  These extra facilities are all suppressed by
 using the @samp{-G} command line option, unless overridden by other
 command line options.
@@ -5664,6 +5747,15 @@
 @item
 The destination of trace and debug output can be controlled with
 @code{debugfile} (@pxref{Debugfile}).
+
address@hidden
+The @code{maketemp} (@pxref{Mkstemp}) macro behaves like @code{mkstemp},
+creating a new file with a unique name on every invocation, rather than
+following the insecure behavior of replacing the trailing @samp{X}
+characters with the @code{m4} process id.  @acronym{POSIX} does not
+allow this extension, so @code{maketemp} is insecure if
address@hidden is set, but you should be using @code{mkstemp} in
+the first place.
 @end itemize
 
 Additionally, @acronym{POSIX} only requires support for the command line

[Prev in Thread]

Current Thread

[Next in Thread]

Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/03
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/06
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/06
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/11
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/12
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/13
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/14
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/16
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/19
- Changes to m4/doc/m4.texinfo,v, Eric Blake <=
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/21
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/21
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/21
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/23
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/25
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/27
- Changes to m4/doc/m4.texinfo,v, Eric Blake, 2006/10/31

Prev by Date: Changes to m4/tests/options.at,v
Next by Date: m4 ChangeLog NEWS checks/get-them doc/m4.texinf... [branch-1_4]
Previous by thread: Changes to m4/doc/m4.texinfo,v
Next by thread: Changes to m4/doc/m4.texinfo,v
Index(es):
- Date
- Thread