summaryrefslogtreecommitdiff
path: root/src/temp/__randname.c
AgeCommit message (Collapse)AuthorLines
2022-06-23avoid limited space of random temp file names if clock resolution is lowRich Felker-1/+1
this is not an issue that was actually hit, but I noticed it during previous changes to __randname: if the resolution of tv_nsec is too low, the space of temp file names obtainable by a thread could plausibly be exhausted. mixing in tv_sec avoids this.
2022-06-03remove random filename obfuscation that leaks ASLR informationRich Felker-1/+2
the __randname function is used by various temp file creation interfaces as a backend to produce a name to attempt using. it does not have to produce results that are safe against guessing, and only aims to avoid unintentional collisions. mixing the address of an object on the stack in a reversible manner leaked ASLR information, potentially allowing an attacker who can observe the temp files created and their creation timestamps to narrow down the possible ASLR state of the process that created them. there is no actual value in mixing these addresses in; it was just obfuscation. so don't do it. instead, mix the tid, just to avoid collisions if multiple processes/threads stampede to create temp files at the same moment. even without this measure, they should not collide unless the clock source is very low resolution, but it's a cheap improvement. if/when we have a guaranteed-available userspace csprng, it could be used here instead. even though there is no need for cryptographic entropy here, it would avoid having to reason about clock resolution and such to determine whether the behavior is nice.
2018-09-12overhaul internally-public declarations using wrapper headersRich Felker-2/+0
commits leading up to this one have moved the vast majority of libc-internal interface declarations to appropriate internal headers, allowing them to be type-checked and setting the stage to limit their visibility. the ones that have not yet been moved are mostly namespace-protected aliases for standard/public interfaces, which exist to facilitate implementing plain C functions in terms of POSIX functionality, or C or POSIX functionality in terms of extensions that are not standardized. some don't quite fit this description, but are "internally public" interfacs between subsystems of libc. rather than create a number of newly-named headers to declare these functions, and having to add explicit include directives for them to every source file where they're needed, I have introduced a method of wrapping the corresponding public headers. parallel to the public headers in $(srcdir)/include, we now have wrappers in $(srcdir)/src/include that come earlier in the include path order. they include the public header they're wrapping, then add declarations for namespace-protected versions of the same interfaces and any "internally public" interfaces for the subsystem they correspond to. along these lines, the wrapper for features.h is now responsible for the definition of the hidden, weak, and weak_alias macros. this means source files will no longer need to include any special headers to access these features. over time, it is my expectation that the scope of what is "internally public" will expand, reducing the number of source files which need to include *_impl.h and related headers down to those which are actually implementing the corresponding subsystems, not just using them.
2013-12-12include cleanups: remove unused headers and add feature test macrosSzabolcs Nagy-1/+0
2013-09-04fix typo in comment in __randnameRich Felker-1/+1
2013-02-20add mkostemp, mkstemps, and mkostemps functions and reorganize temp internalsRich Felker-0/+21
based on patch contributed by Anthony G. Basile (blueness) some issues remain with the filename generation algorithm and other small bugs, but this patch has been sitting around long enough that I feel it's best to get it committed and then work out any remaining issues.