AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2011.01.10 16:18 "[Tiff] Missing mkstemp() on Visual Studio 2008", by Jeff McKenna
2011.01.10 16:59 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Edward Lam
2011.01.10 18:59 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Jeff McKenna
2011.01.10 20:35 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Edward Lam
2011.01.10 20:37 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Edward Lam
2011.01.10 20:54 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Bob Friesenhahn
2011.01.10 21:30 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Edward Lam
2011.01.11 00:01 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Igor Skochinsky
2011.01.11 15:41 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Edward Lam
2011.01.11 16:18 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Olivier Paquet
2011.01.11 16:38 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Igor Skochinsky

2011.01.11 15:41 "Re: [Tiff] Missing mkstemp() on Visual Studio 2008", by Edward Lam

On 1/10/2011 7:01 PM, Igor Skochinsky wrote:

On Windows, one can use tmpfile_s().

Do NOT use tmpfile() ('secure' or not). Due to the DOS legacy, it tries to create the file in the root directory of the current drive, which fails for C:\ under non-admin user on Vista and later. Use instead tmpnam() followed by fopen() with mode "w+bTD" (write, binary, temporary, delete on close).

Good point. However, doesn't using tmpnam() will re-introduce the

possibility of a TOCTOU attack? It took me a while to find the current

CERT recommendation on this [1]. The sad state of affairs as I read it

seems that there is no 100% secure way to create temporary files on

Windows!?

-Edward

1. https://www.securecoding.cert.org/confluence/display/seccode/FIO43-C.+Do+not+create+temporary+files+in+shared+directories