From ed89c51364112c79781e2fd20d4e50002c5f35ad Mon Sep 17 00:00:00 2001 From: Simon Marlow Date: Tue, 23 Oct 2007 13:09:28 +0000 Subject: [PATCH] FIX #1258: document that openTempFile is secure(ish) Also change the mode from 0666 to 0600, which seems like a more sensible value and matches what C's mkstemp() does. --- System/IO.hs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/System/IO.hs b/System/IO.hs index 64ee0be..a887d99 100644 --- a/System/IO.hs +++ b/System/IO.hs @@ -419,6 +419,19 @@ hSetBinaryMode _ _ = return () #ifndef __NHC__ -- | The function creates a temporary file in ReadWrite mode. -- The created file isn\'t deleted automatically, so you need to delete it manually. +-- +-- The file is creates with permissions such that only the current +-- user can read/write it. +-- +-- With some exceptions (see below), the file will be created securely +-- in the sense that an attacker should not be able to cause +-- openTempFile to overwrite another file on the filesystem using your +-- credentials, by putting symbolic links (on Unix) in the place where +-- the temporary file is to be created. On Unix the @O_CREAT@ and +-- @O_EXCL@ flags are used to prevent this attack, but note that +-- @O_EXCL@ is sometimes not supported on NFS filesystems, so if you +-- rely on this behaviour it is best to use local filesystems only. +-- openTempFile :: FilePath -- ^ Directory in which to create the file -> String -- ^ File name template. If the template is \"foo.ext\" then -- the created file will be \"fooXXX.ext\" where XXX is some @@ -462,7 +475,7 @@ openTempFile' loc tmp_dir template binary = do findTempName x = do fd <- withCString filepath $ \ f -> - c_open f oflags 0o666 + c_open f oflags 0o600 if fd < 0 then do errno <- getErrno -- 1.7.10.4