[fpc-pascal] GetTempFileName in Linux

ik idokan at gmail.com
Tue Oct 5 18:26:59 CEST 2010


On Tue, Oct 5, 2010 at 17:30, Sven Barth <pascaldragon at googlemail.com>wrote:

> Am 05.10.2010 17:20, schrieb Leonardo M. Ramé:
>
>  Hi, if I run this program from command line in Linux, I allways get the
>> same result, "/tmp/TMP00000.tmp". Shouldn't it return a different file name
>> each time it's executed?.
>>
>> How can I get different file names?
>>
>> program tempfilename;
>> uses
>>   sysutils;
>> begin
>>   writeln(GetTempFileName);
>> end.
>>
>
> Did you delete the file after the run of your program? GetTempFileName
> always starts from 0 and checks whether that file already exists. If not, it
> returns that name else it continues increasing the index.
>


That's a security risk, because it is very easy to know what will be the
file name. It should return random name that does not exists on a random
length (that the developer chooses).

Symlink attack:
http://www.infosecwriters.com/texts.php?op=display&id=159for better
understanding.


>
> Regards,
> Sven
>
> _______________________________________________
> fpc-pascal maillist  -  fpc-pascal at lists.freepascal.org
> http://lists.freepascal.org/mailman/listinfo/fpc-pascal
>


Ido
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freepascal.org/pipermail/fpc-pascal/attachments/20101005/052f6f2d/attachment.html>


More information about the fpc-pascal mailing list