bug#29001: [wishlist] configure option to disable tmpnam

bug#29001: [wishlist] configure option to disable tmpnam

[Matt Wette]

[-- Attachment #1: Type: text/plain, Size: 1263 bytes --]

It would be nice to have a configure option to disable/enable including the POSIX function tmpnam.
It may give Guile a more "code secure" option to have the default be disabled.

I tried to generate a patch, but I could not get it to work both ways (disable and enable).  My autoconf
knowledge and skills are lacking. 

Here is what I tried (THIS DOES NOT WORK)

--- libguile/posix.c-orig       2017-10-24 05:28:30.000000000 -0700
+++ libguile/posix.c    2017-10-24 05:28:51.000000000 -0700
@@ -1557,6 +1557,7 @@
 }
 #undef FUNC_NAME
 
+#ifdef ENABLE_TMPNAM
 #ifdef L_tmpnam
 
 SCM_DEFINE (scm_tmpnam, "tmpnam", 0, 0, 0,
@@ -1580,6 +1581,7 @@
 #undef FUNC_NAME
 
 #endif
+#endif
 
 SCM_DEFINE (scm_tmpfile, "tmpfile", 0, 0, 0,
             (void),

--- configure.ac-orig   2017-10-24 05:21:56.000000000 -0700
+++ configure.ac        2017-10-25 16:07:34.000000000 -0700
@@ -164,6 +164,10 @@
   [  --disable-regex         omit regular expression interfaces],,
   enable_regex=yes)
 
+AC_ARG_ENABLE(tmpnam,
+  [  --enable-tmpnam         enable POSIX tmpnam],
+  enable_tmpnam=yes, enable_tmpnam=no)
+
 AC_ARG_ENABLE([deprecated],
   AS_HELP_STRING([--disable-deprecated],[omit deprecated features]))

^--- DOES NOT WORK
 


[-- Attachment #2: Type: text/html, Size: 9360 bytes --]

bug#29001: tmpnam option

[Matt Wette]

OK I have it working.  Complete patch here, assuming config.h.in is generated by your autotools.

--- libguile/posix.c-orig	2017-10-24 05:28:30.000000000 -0700
+++ libguile/posix.c	2017-10-24 05:28:51.000000000 -0700
@@ -1557,6 +1557,7 @@
 }
 #undef FUNC_NAME
 
+#ifdef ENABLE_TMPNAM
 #ifdef L_tmpnam
 
 SCM_DEFINE (scm_tmpnam, "tmpnam", 0, 0, 0,
@@ -1580,6 +1581,7 @@
 #undef FUNC_NAME
 
 #endif
+#endif
 
 SCM_DEFINE (scm_tmpfile, "tmpfile", 0, 0, 0,
             (void),
--- configure.ac-orig	2017-10-24 05:21:56.000000000 -0700
+++ configure.ac	2017-10-27 09:03:20.000000000 -0700
@@ -164,6 +164,10 @@
   [  --disable-regex         omit regular expression interfaces],,
   enable_regex=yes)
 
+AC_ARG_ENABLE(tmpnam,
+  [  --enable-tmpnam         enable POSIX tmpnam],
+  AC_DEFINE(ENABLE_TMPNAM,1,[enable POSIX tmpnam()]),)
+
 AC_ARG_ENABLE([deprecated],
   AS_HELP_STRING([--disable-deprecated],[omit deprecated features]))
 

bug#29001: tmpnam

[Matt Wette]

This is related to 4075 at debbugs.gnu.org

bug#29001: tmpnam

[Matt Wette]

On 3/18/20 4:48 PM, Matt Wette wrote:
> This is related to 4075 at debbugs.gnu.org \

er  40075 at debbugs.gnu.org

working on patch against 3.0.1

going better this time

bug#29001: --disable-tmpnam

[Matt Wette]

"make" and "make check" succeeds on 3.0.1 / Ubuntu 18.04 / x86_64 with
1) --disable-tmpnam
2) --enable-tmpnam
3) neither

This updates libguile/posix.c and configure.ac to allow extra
configuration option --disable-tmpnam.   This is made available
for installations that don't want to allow the insecure tmpnam
function.  (Use mkstemp! instead.)

--- libguile/posix.c-orig    2020-03-18 16:55:09.349588085 -0700
+++ libguile/posix.c    2020-03-18 17:07:20.860142083 -0700
@@ -65,6 +65,7 @@

  #include "async.h"
  #include "bitvectors.h"
+#include "deprecation.h"
  #include "dynwind.h"
  #include "extensions.h"
  #include "feature.h"
@@ -1588,6 +1589,7 @@
  }
  #undef FUNC_NAME

+#ifdef ENABLE_TMPNAM
  #ifdef L_tmpnam

  SCM_DEFINE (scm_tmpnam, "tmpnam", 0, 0, 0,
@@ -1602,6 +1604,9 @@
    char name[L_tmpnam];
    char *rv;

+  scm_c_issue_deprecation_warning
+      ("Use of tmpnam is deprecated.  Use mkstemp! instead.");
+
    SCM_SYSCALL (rv = tmpnam (name));
    if (rv == NULL)
      /* not SCM_SYSERROR since errno probably not set.  */
@@ -1611,6 +1616,7 @@
  #undef FUNC_NAME

  #endif
+#endif

  SCM_DEFINE (scm_tmpfile, "tmpfile", 0, 0, 0,
              (void),
--- configure.ac-orig    2020-03-18 17:11:17.977427035 -0700
+++ configure.ac    2020-03-18 17:09:57.850334685 -0700
@@ -166,6 +166,10 @@
    [  --disable-regex         omit regular expression interfaces],,
    enable_regex=yes)

+AC_ARG_ENABLE(tmpnam,
+  [  --disable-tmpnam        omit POSIX tmpnam],,
+  enable_tmpnam=yes)
+
  AC_ARG_ENABLE([deprecated],
    AS_HELP_STRING([--disable-deprecated],[omit deprecated features]))

@@ -909,6 +913,10 @@
     AC_DEFINE([ENABLE_REGEX], 1, [Define when regex support is enabled.])
  fi

+if test "$enable_tmpnam" = yes; then
+   AC_DEFINE([ENABLE_TMPNAM], 1, [Define when tmpnam support is enabled.])
+fi
+
  AC_REPLACE_FUNCS([strerror memmove])

  # Reasons for testing:

bug#29001: patch

[Matt Wette]

Note: The above patch makes tmpnam report that it is deprecated.

bug#29001: --disable-tmpnam

[Ludovic Courtès]

Hi Matt,

Matt Wette <matt.wette@gmail.com> skribis:

> "make" and "make check" succeeds on 3.0.1 / Ubuntu 18.04 / x86_64 with
> 1) --disable-tmpnam
> 2) --enable-tmpnam
> 3) neither
>
> This updates libguile/posix.c and configure.ac to allow extra
> configuration option --disable-tmpnam.   This is made available
> for installations that don't want to allow the insecure tmpnam
> function.  (Use mkstemp! instead.)

Nice.

We should have deprecated ‘tmpnam’ before 3.0.0, it’s probably OK to do
it now.

> +AC_ARG_ENABLE(tmpnam,
> +  [  --disable-tmpnam        omit POSIX tmpnam],,
> +  enable_tmpnam=yes)

Could you use ‘AS_HELP_STRING’ as is done in some other places?  This is
the more conventional way to ensure proper formatting of ‘--help’.

Also, could you send the patch as an attachment (your mail client munged
it somehow)?  You can create the patch by first committing locally and
then running (say) ‘git format-patch HEAD^’.

Bonus points if your commit log follows the GNU ChangeLog style:

  https://www.gnu.org/prep/standards/html_node/Change-Logs.html

You can imitate previous entries shown by ‘git log’.

(I think this patch is acceptable without copyright assignment.  Beyond
that, we’ll need copyright assignment, as discussed on IRC.)

Thanks in advance!

Ludo’.

bug#29001: git patch

[Matt Wette]

[-- Attachment #1: Type: text/plain, Size: 107 bytes --]

Attached is the git patch against the following guile commit:

bef5e0b3938cc88e3a1a1ac590b009875cc38162




[-- Attachment #2: 0001-2020-03-22-Matt-Wette-mwette-alumni.caltech.edu.patch --]
[-- Type: text/x-patch, Size: 2354 bytes --]

From 71ff7e79369a4514a961fc5cf76593b254c32d4c Mon Sep 17 00:00:00 2001
From: Matt Wette <mwette@alumni.caltech.edu>
Date: Sun, 22 Mar 2020 09:12:37 -0700
Subject: [PATCH] 2020-03-22 Matt Wette <mwette@alumni.caltech.edu>

* configure.ac:
Provide new option: --disable-tmpnam
This is made available for installations that don't want to allow
the insecure POSIX tmpname function.  Use mkstemp! instead.

* libguile/posix.c
tmpnam is deprecated; and enabled by ENABLE_TMPNAM
---
 configure.ac     |  8 ++++++++
 libguile/posix.c | 11 +++++++++++
 2 files changed, 19 insertions(+)

diff --git a/configure.ac b/configure.ac
index 6198c7e..3e96094 100644
--- a/configure.ac
+++ b/configure.ac
@@ -166,6 +166,10 @@ AC_ARG_ENABLE(regex,
   [  --disable-regex         omit regular expression interfaces],,
   enable_regex=yes)
 
+AC_ARG_ENABLE(tmpnam,
+  AS_HELP_STRING([--disable-tmpnam],[omit POSIX tmpnam]),,
+  enable_tmpnam=yes)
+
 AC_ARG_ENABLE([deprecated],
   AS_HELP_STRING([--disable-deprecated],[omit deprecated features]))
 
@@ -909,6 +913,10 @@ if test "$enable_regex" = yes; then
    AC_DEFINE([ENABLE_REGEX], 1, [Define when regex support is enabled.])
 fi
 
+if test "$enable_tmpnam" = yes; then
+   AC_DEFINE([ENABLE_TMPNAM], 1, [Define when tmpnam support is enabled.])
+fi
+
 AC_REPLACE_FUNCS([strerror memmove])
 
 # Reasons for testing:
diff --git a/libguile/posix.c b/libguile/posix.c
index a1520ab..9b9b476 100644
--- a/libguile/posix.c
+++ b/libguile/posix.c
@@ -87,6 +87,10 @@
 #include "vectors.h"
 #include "version.h"
 
+#if (SCM_ENABLE_DEPRECATED == 1)
+#include "deprecation.h"
+#endif
+
 #include "posix.h"
 
 #if HAVE_SYS_WAIT_H
@@ -1588,6 +1592,8 @@ SCM_DEFINE (scm_environ, "environ", 0, 1, 0,
 }
 #undef FUNC_NAME
 
+#if (SCM_ENABLE_DEPRECATED == 1)
+#ifdef ENABLE_TMPNAM
 #ifdef L_tmpnam
 
 SCM_DEFINE (scm_tmpnam, "tmpnam", 0, 0, 0,
@@ -1602,6 +1608,9 @@ SCM_DEFINE (scm_tmpnam, "tmpnam", 0, 0, 0,
   char name[L_tmpnam];
   char *rv;
 
+  scm_c_issue_deprecation_warning
+      ("Use of tmpnam is deprecated.  Use mkstemp! instead.");
+
   SCM_SYSCALL (rv = tmpnam (name));
   if (rv == NULL)
     /* not SCM_SYSERROR since errno probably not set.  */
@@ -1610,6 +1619,8 @@ SCM_DEFINE (scm_tmpnam, "tmpnam", 0, 0, 0,
 }
 #undef FUNC_NAME
 
+#endif
+#endif
 #endif
 
 SCM_DEFINE (scm_tmpfile, "tmpfile", 0, 0, 0,
-- 
2.17.1

bug#29001: git patch

[Ludovic Courtès]

Hi Matt,

Matt Wette <matt.wette@gmail.com> skribis:

>>From 71ff7e79369a4514a961fc5cf76593b254c32d4c Mon Sep 17 00:00:00 2001
> From: Matt Wette <mwette@alumni.caltech.edu>
> Date: Sun, 22 Mar 2020 09:12:37 -0700
> Subject: [PATCH] 2020-03-22 Matt Wette <mwette@alumni.caltech.edu>
>
> * configure.ac:
> Provide new option: --disable-tmpnam
> This is made available for installations that don't want to allow
> the insecure POSIX tmpname function.  Use mkstemp! instead.
>
> * libguile/posix.c
> tmpnam is deprecated; and enabled by ENABLE_TMPNAM

I tweaked the commit log and pushed.  Thank you!

Ludo’.