2633. [filesys.ts] [PDTS] unique_path() is a security vulnerability

Section: 99 [filesys.ts::fs.op.funcs] Status: TS Submitter: CH-19 Opened: 2014-01-20 Last modified: 2017-07-30

Priority: Not Prioritized

View all other issues in [filesys.ts::fs.op.funcs].

View all issues with TS status.

Discussion:

Addresses: filesys.ts

unique_path() is a security vulnerability. As the Linux manual page for the similar function tmpnam() writes in the "BUGS" section: "Never use this function. Use mkstemp(3) or tmpfile(3) instead." mkstemp() and tmpfile() avoid the inherent race condition of unique_path() by returning an open file descriptor or FILE*.

[Beman Dawes comments: 10 Feb 2014:]

There are two issues here:

[ 2014-02-11 Issaquah: Strike the function. ]

[2014-02-12 The following Proposed resolution from CH-19 was moved here to avoid confusion with the final Proposed resolution wording from the WG/SG3.]

Remove this function. Consider providing a function create_unique_directory(). If it fits the scope of the proposed TS, consider providing functions create_unique_file() that returns ifstream, ofstream and iofstream.

[ 2014-02-12 The following Proposed wording was moved here to avoid confusion with the final Proposed resolution wording from the WG/SG3. ]

[2014-02-10 Beman Dawes]

Previous resolution from Beman [SUPERSEDED]:

Change 15.38 [fs.op.unique_path]:

    path unique_pathgenerate_random_filename(const path& model="%%%%-%%%%-%%%%-%%%%");
    path unique_pathgenerate_random_filename(const path& model, error_code& ec);
  

The unique_path generate_random_filename function generates a name suitable for temporary files, including directories. The name is based on a model that uses the percent sign character to specify replacement by a random hexadecimal digit.

[Note: The more bits of randomness in the generated name, the less likelihood of prior existence or being guessed. Each replacement hexadecimal digit in the model adds four bits of randomness. The default model thus provides 64 bits of randomness. --end note]

Returns: A path identical to model, except that each occurrence of the percent sign character is replaced by a random hexadecimal digit character in the range 0-9, a-f. The signature with argument ec returns path() if an error occurs.

Throws: As specified in Error reporting.

Remarks: Implementations are encouraged to obtain the required randomness via a cryptographically secure pseudo-random number generator, such as one provided by the operating system. [Note: Such generators may block until sufficient entropy develops. --end note]

Replace this example with one that opens a std::ofstream:

[Example:

        cout << unique_pathgenerate_random_filename("test-%%%%%%%%%%%.txt") << endl;
      

Typical output would be "test-0db7f2bf57a.txt". Because 11 hexadecimal output characters are specified, 44 bits of randomness are supplied.  -- end example]

Proposed resolution:

Remove the two unique_path function signatures from 6 [fs.filesystem.synopsis].

Remove 15.38 [fs.op.unique_path] in its entirety.

[This removes all references the function from the working draft.]