Title
[filesys.ts] [PDTS] unique_path() is a security vulnerability
Status
open
Section
[fs.op.funcs]
Submitter
CH-19

Created on 2014-01-20.00:00:00 last changed 90 months ago

Messages

Date: 2016-01-28.01:00:35

[ This removes all references the function from the working draft. ]

Date: 2016-01-28.01:00:35

Proposed resolution:

Remove the two unique_path function signatures from 6 [fs.filesystem.synopsis].

Remove 15.38 [fs.op.unique_path] in its entirety.

Date: 2014-02-10.00:00:00

[ 2014-02-10 Beman Dawes ]

Previous resolution from Beman [SUPERSEDED]:

Change 15.38 [fs.op.unique_path]:

    path unique_pathgenerate_random_filename(const path& model="%%%%-%%%%-%%%%-%%%%");
    path unique_pathgenerate_random_filename(const path& model, error_code& ec);
  

The unique_path generate_random_filename function generates a name suitable for temporary files, including directories. The name is based on a model that uses the percent sign character to specify replacement by a random hexadecimal digit.

[Note: The more bits of randomness in the generated name, the less likelihood of prior existence or being guessed. Each replacement hexadecimal digit in the model adds four bits of randomness. The default model thus provides 64 bits of randomness. --end note]

Returns: A path identical to model, except that each occurrence of the percent sign character is replaced by a random hexadecimal digit character in the range 0-9, a-f. The signature with argument ec returns path() if an error occurs.

Throws: As specified in Error reporting.

Remarks: Implementations are encouraged to obtain the required randomness via a cryptographically secure pseudo-random number generator, such as one provided by the operating system. [Note: Such generators may block until sufficient entropy develops. --end note]

Replace this example with one that opens a std::ofstream:

[Example:

        cout << unique_pathgenerate_random_filename("test-%%%%%%%%%%%.txt") << endl;
      

Typical output would be "test-0db7f2bf57a.txt". Because 11 hexadecimal output characters are specified, 44 bits of randomness are supplied.  -- end example]

Date: 2014-02-12.00:00:00

[ 2014-02-12 The following Proposed wording was moved here to avoid confusion with the final Proposed resolution wording from the WG/SG3. ]

Date: 2014-02-12.00:00:00

[ 2014-02-12 The following Proposed resolution from CH-19 was moved here to avoid confusion with the final Proposed resolution wording from the WG/SG3. ]

Remove this function. Consider providing a function create_unique_directory(). If it fits the scope of the proposed TS, consider providing functions create_unique_file() that returns ifstream, ofstream and iofstream.

Date: 2014-02-11.00:00:00

[ 2014-02-11 Issaquah: Strike the function. ]

Date: 2016-02-11.02:13:37

Addresses: filesys.ts

unique_path() is a security vulnerability. As the Linux manual page for the similar function tmpnam() writes in the "BUGS" section: "Never use this function. Use mkstemp(3) or tmpfile(3) instead." mkstemp() and tmpfile() avoid the inherent race condition of unique_path() by returning an open file descriptor or FILE*.

[Beman Dawes comments: 10 Feb 2014:]

There are two issues here:

  • Confusion over what unique_path does and how it is used. The function is misleadingly named. These issue have arisen in the past, but apparently not been fully corrected. The suggested fix is to (1) rename the function and (2) provide an example of how to use the function safely with fstreams or even C I/O. See below for proposed wording.
  • Very real security concerns. See 2654. The security concerns are probably best dealt with in the next File System TS, since a full-blown proposal is needed and will likely take several years to develop.
History
Date User Action Args
2017-07-30 20:10:41adminsetstatus: wp -> open
2016-01-28 01:00:35adminsetmessages: + msg7809
2016-01-28 01:00:35adminsetmessages: + msg7808
2016-01-28 01:00:35adminsetmessages: + msg7807
2016-01-28 01:00:35adminsetmessages: + msg7806
2016-01-28 01:00:35adminsetmessages: + msg7805
2016-01-28 01:00:35adminsetmessages: + msg7804
2014-01-20 00:00:00admincreate