unique_path()
is a security vulnerabilitySection: 15 [filesys.ts::fs.op.funcs] Status: TS Submitter: CH-19 Opened: 2014-01-20 Last modified: 2017-07-30
Priority: Not Prioritized
View all other issues in [filesys.ts::fs.op.funcs].
View all issues with TS status.
Discussion:
Addresses: filesys.ts
unique_path()
is a security vulnerability. As the Linux manual page for the similar
function tmpnam()
writes in the "BUGS" section: "Never use this function. Use mkstemp
(3)
or tmpfile
(3) instead." mkstemp()
and tmpfile()
avoid the inherent race condition of
unique_path()
by returning an open file descriptor or FILE*
.
There are two issues here:
- Confusion over what unique_path does and how it is used. The function is misleadingly named. These issue have arisen in the past, but apparently not been fully corrected. The suggested fix is to (1) rename the function and (2) provide an example of how to use the function safely with fstreams or even C I/O. See below for proposed wording.
- Very real security concerns. See 2654. The security concerns are probably best dealt with in the next File System TS, since a full-blown proposal is needed and will likely take several years to develop.
[ 2014-02-11 Issaquah: Strike the function. ]
[2014-02-12 The following Proposed resolution from CH-19 was moved here to avoid confusion with the final Proposed resolution wording from the WG/SG3.]
Remove this function. Consider providing a function create_unique_directory()
.
If it fits the scope of the proposed TS, consider providing functions
create_unique_file()
that returns ifstream
, ofstream
and iofstream
.
[ 2014-02-12 The following Proposed wording was moved here to avoid confusion with the final Proposed resolution wording from the WG/SG3. ]
[2014-02-10 Beman Dawes]
Previous resolution from Beman [SUPERSEDED]:
Change 15.38 [fs.op.unique_path]:
pathunique_pathgenerate_random_filename(const path& model="%%%%-%%%%-%%%%-%%%%"); pathunique_pathgenerate_random_filename(const path& model, error_code& ec);The
function generates a name suitable for temporary files, including directories. The name is based on a model that uses the percent sign character to specify replacement by a random hexadecimal digit.
unique_pathgenerate_random_filename[Note: The more bits of randomness in the generated name, the less likelihood of prior existence or being guessed. Each replacement hexadecimal digit in the model adds four bits of randomness. The default model thus provides 64 bits of randomness. --end note]
Returns: A path identical to
model
, except that each occurrence of the percent sign character is replaced by a random hexadecimal digit character in the range 0-9, a-f. The signature with argumentec
returnspath()
if an error occurs.Throws: As specified in Error reporting.
Remarks: Implementations are encouraged to obtain the required randomness via a cryptographically secure pseudo-random number generator, such as one provided by the operating system. [Note: Such generators may block until sufficient entropy develops. --end note]
Replace this example with one that opens a std::ofstream:
[Example:cout <<unique_pathgenerate_random_filename("test-%%%%%%%%%%%.txt") << endl;Typical output would be
"test-0db7f2bf57a.txt"
. Because 11 hexadecimal output characters are specified, 44 bits of randomness are supplied. -- end example]
Proposed resolution:
Remove the twounique_path
function signatures from 6 [fs.filesystem.synopsis].
Remove 15.38 [fs.op.unique_path] in its entirety.
[This removes all references the function from the working draft.]