From: Tatsuya Kinoshita <tats@debian.org>
To: akrl@sdf.org
Cc: emacs-devel@gnu.org, monnier@iro.umontreal.ca,
spwhitton@spwhitton.name, 1021842@bugs.debian.org
Subject: Bug#1021842: Finalizing 'inhibit-automatic-native-compilation'
Date: Sun, 19 Feb 2023 23:31:31 +0900 (JST) [thread overview]
Message-ID: <20230219.233131.1511069829833751131.tats%nobody@tats.iris.ne.jp> (raw)
In-Reply-To: <xjfzg9a3af3.fsf@ma.sdf.org>
On 2023-02-18 at 21:56 +0000, Andrea Corallo wrote:
> >> + (expand-file-name
> >> + (make-temp-file-internal (file-name-sans-extension rel-filename)
> >> + 0 ".eln" nil)
> >> + temporary-file-directory))))
> >
> > Hmm, it seems using make-temp-file-internal with DIR-FLAG=0 which just
> > constructs a name and do not create the file like make-temp-name, so
> > there is a race condition as Stefan mentioned. Is that really OK?
>
> Mmhh, Stefan mentioned the case where the tmp file name is predicted.
>
> Shouldn't make-temp-file-internal return a non predictable file name?
> Otherwise what's the point of using make-temp-file in the first place if
> the temporary name is predictable?
Imagine if a local attacker creates symlinks as the candidate names
before creating the file, though less predictable.
make-temp-name describes as follows:
> There is a race condition between calling `make-temp-name' and
> later creating the file, which opens all kinds of security holes.
> For that reason, you should normally use `make-temp-file' instead.
To create a temporary file in a secure fashion, use make-temp-file
to create a file, or use make-temp-file with DIR-FLAG to create a
subdirectory and then create a file in it.
Thanks,
next prev parent reply other threads:[~2023-02-19 14:31 UTC|newest]
Thread overview: 146+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 12:57 Finalizing 'inhibit-automatic-native-compilation' Eli Zaretskii
2023-01-27 14:19 ` Andrea Corallo
2023-01-27 23:11 ` Stephen Leake
2023-01-27 23:58 ` Stefan Monnier
2023-01-28 0:32 ` Stephen Leake
2023-01-28 8:31 ` Eli Zaretskii
2023-01-28 8:08 ` Eli Zaretskii
2023-01-29 21:42 ` Stephen Leake
2023-01-27 23:57 ` Stefan Monnier
2023-01-28 9:17 ` Eli Zaretskii
2023-01-28 17:00 ` Stefan Monnier
2023-01-28 17:09 ` Eli Zaretskii
2023-01-28 17:42 ` Stefan Monnier
2023-01-28 17:54 ` Eli Zaretskii
2023-01-28 18:00 ` Stefan Monnier
2023-01-28 18:09 ` Eli Zaretskii
2023-01-28 21:41 ` Andy Moreton
2023-01-29 6:46 ` Eli Zaretskii
2023-01-29 11:46 ` Andy Moreton
2023-01-28 22:24 ` Stefan Monnier
2023-01-29 6:25 ` Eli Zaretskii
2023-01-29 14:58 ` Stefan Monnier
2023-01-29 15:30 ` Eli Zaretskii
2023-01-30 2:30 ` Stefan Monnier
2023-01-30 12:47 ` Eli Zaretskii
2023-01-30 14:57 ` Stefan Monnier
2023-01-30 17:07 ` Eli Zaretskii
2023-01-30 17:18 ` Stefan Monnier
2023-01-31 4:19 ` Richard Stallman
2023-01-31 14:26 ` Stefan Monnier
2023-02-01 5:04 ` Richard Stallman
2023-02-04 19:55 ` Lynn Winebarger
2023-02-04 20:08 ` Eli Zaretskii
2023-02-04 22:05 ` Lynn Winebarger
2023-02-05 7:40 ` Eli Zaretskii
2023-02-05 16:22 ` Lynn Winebarger
2023-02-06 10:15 ` Andrea Corallo
2023-02-06 10:25 ` Andrea Corallo
2023-02-06 13:05 ` Eli Zaretskii
2023-02-06 13:37 ` Lynn Winebarger
2023-02-06 14:07 ` Eli Zaretskii
2023-02-06 14:29 ` Lynn Winebarger
2023-02-06 15:28 ` Eli Zaretskii
2023-02-07 3:57 ` Lynn Winebarger
2023-02-06 15:26 ` Lynn Winebarger
2023-02-02 5:18 ` Sean Whitton
2023-02-02 7:55 ` Eli Zaretskii
2023-02-02 16:17 ` Sean Whitton
2023-02-06 10:57 ` Aymeric Agon-Rambosson
2023-02-06 14:29 ` Eli Zaretskii
2023-02-07 3:39 ` Aymeric Agon-Rambosson
2023-02-07 12:49 ` Eli Zaretskii
2023-02-09 8:40 ` Aymeric Agon-Rambosson
2023-02-09 10:11 ` Eli Zaretskii
2023-02-09 21:07 ` Sean Whitton
2023-02-10 8:13 ` Eli Zaretskii
2023-02-10 8:37 ` Aymeric Agon-Rambosson
2023-02-10 16:53 ` Andrea Corallo
2023-02-10 17:34 ` Aymeric Agon-Rambosson
2023-02-11 8:11 ` Andrea Corallo
2023-02-11 10:06 ` Aymeric Agon-Rambosson
2023-02-11 10:44 ` Eli Zaretskii
2023-02-12 16:47 ` Aymeric Agon-Rambosson
2023-02-12 16:55 ` Eli Zaretskii
2023-02-12 19:58 ` Aymeric Agon-Rambosson
2023-02-12 20:09 ` Eli Zaretskii
2023-02-14 10:36 ` Aymeric Agon-Rambosson
2023-02-14 13:51 ` Eli Zaretskii
2023-02-15 22:39 ` Aymeric Agon-Rambosson
2023-02-16 8:04 ` Eli Zaretskii
2023-02-17 8:15 ` Eli Zaretskii
2023-02-17 10:16 ` Andrea Corallo
2023-02-17 14:17 ` Eli Zaretskii
2023-02-18 21:48 ` Andrea Corallo
2023-02-19 9:21 ` Eli Zaretskii
2023-02-20 9:14 ` Andrea Corallo
2023-02-20 12:02 ` Eli Zaretskii
2023-02-09 21:05 ` Sean Whitton
2023-02-10 8:08 ` Eli Zaretskii
2023-02-10 22:13 ` Sean Whitton
2023-02-11 9:16 ` Eli Zaretskii
2023-02-13 22:57 ` Sean Whitton
2023-02-14 5:17 ` tomas
2023-02-14 13:21 ` Eli Zaretskii
2023-02-14 11:29 ` Andrea Corallo
2023-02-14 17:11 ` Sean Whitton
2023-02-16 18:10 ` Sean Whitton
2023-02-17 9:00 ` Andrea Corallo
2023-02-17 16:42 ` Sean Whitton
2023-02-17 19:18 ` Eli Zaretskii
2023-02-17 21:13 ` Bug#1021842: " Tatsuya Kinoshita
2023-02-18 21:56 ` Andrea Corallo
2023-02-19 4:22 ` Stefan Monnier
2023-02-20 9:03 ` Andrea Corallo
2023-02-20 12:01 ` Eli Zaretskii
2023-02-20 15:42 ` Andrea Corallo
2023-02-20 16:02 ` Stefan Monnier
2023-02-20 20:22 ` Andrea Corallo
2023-02-20 16:57 ` Eli Zaretskii
2023-02-20 20:29 ` Andrea Corallo
2023-02-20 12:48 ` Stefan Monnier
2023-02-20 16:07 ` Andrea Corallo
2023-02-20 17:24 ` tomas
2023-02-07 13:56 ` Andrea Corallo
2023-02-07 15:03 ` Stefan Monnier
2023-02-07 15:27 ` Andrea Corallo
2023-02-09 7:26 ` Aymeric Agon-Rambosson
2023-02-09 7:52 ` Eli Zaretskii
2023-02-10 8:04 ` Aymeric Agon-Rambosson
2023-02-10 8:46 ` Eli Zaretskii
2023-02-10 17:02 ` Andrea Corallo
2023-02-02 5:40 ` Sean Whitton
2023-02-02 8:02 ` Eli Zaretskii
2023-02-02 8:41 ` tomas
2023-02-02 9:18 ` Eli Zaretskii
2023-02-02 16:28 ` Sean Whitton
2023-02-02 17:21 ` Eli Zaretskii
2023-02-09 21:12 ` Sean Whitton
2023-02-04 17:48 ` Liliana Marie Prikler
2023-02-04 18:18 ` Eli Zaretskii
2023-02-06 10:21 ` Andrea Corallo
2023-02-13 12:05 ` Andrea Corallo
2023-02-13 13:19 ` Eli Zaretskii
2023-02-13 15:21 ` Andrea Corallo
2023-02-13 15:37 ` Eli Zaretskii
2023-02-13 16:15 ` Andrea Corallo
2023-02-13 19:17 ` Stefan Monnier
2023-02-13 19:34 ` Andrea Corallo
2023-02-13 20:43 ` Stefan Monnier
2023-02-13 21:53 ` Andrea Corallo
2023-02-13 23:04 ` Stefan Monnier
2023-02-14 8:56 ` Andrea Corallo
2023-02-14 11:32 ` Andrea Corallo
[not found] ` <166586215062.368699.18398270685158383578.reportbug@convex>
2023-02-19 14:31 ` Tatsuya Kinoshita [this message]
2023-02-20 9:18 ` Bug#1021842: " Andrea Corallo
2023-02-20 12:03 ` Eli Zaretskii
2023-02-20 20:50 ` Bug#1021842: " Lynn Winebarger
2023-02-20 21:34 ` Stefan Monnier
2023-02-20 22:17 ` Lynn Winebarger
2023-02-20 22:02 ` Bug#1021842: " Tatsuya Kinoshita
2023-02-21 15:40 ` Andrea Corallo
2023-02-14 3:23 ` Eli Zaretskii
2023-02-14 3:31 ` Stefan Monnier
2023-02-14 8:55 ` Andrea Corallo
2023-02-14 13:11 ` Eli Zaretskii
2023-02-14 15:09 ` Stefan Monnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230219.233131.1511069829833751131.tats%nobody@tats.iris.ne.jp \
--to=tats@debian.org \
--cc=1021842@bugs.debian.org \
--cc=akrl@sdf.org \
--cc=emacs-devel@gnu.org \
--cc=monnier@iro.umontreal.ca \
--cc=spwhitton@spwhitton.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).