[fpc-pascal] GetTempFileName in Linux

Sven Barth pascaldragon at googlemail.com
Wed Oct 6 09:40:42 CEST 2010


Am 05.10.2010 18:26, schrieb ik:
> On Tue, Oct 5, 2010 at 17:30, Sven Barth <pascaldragon at googlemail.com
> <mailto:pascaldragon at googlemail.com>> wrote:
>
>     Am 05.10.2010 17:20, schrieb Leonardo M. Ramé:
>
>         Hi, if I run this program from command line in Linux, I allways
>         get the same result, "/tmp/TMP00000.tmp". Shouldn't it return a
>         different file name each time it's executed?.
>
>         How can I get different file names?
>
>         program tempfilename;
>         uses
>            sysutils;
>         begin
>            writeln(GetTempFileName);
>         end.
>
>
>     Did you delete the file after the run of your program?
>     GetTempFileName always starts from 0 and checks whether that file
>     already exists. If not, it returns that name else it continues
>     increasing the index.
>
>
>
> That's a security risk, because it is very easy to know what will be the
> file name. It should return random name that does not exists on a random
> length (that the developer chooses).
>
> Symlink attack:
> http://www.infosecwriters.com/texts.php?op=display&id=159
> <http://www.infosecwriters.com/texts.php?op=display&id=159> for better
> understanding.

Windows (or at least ReactOS) seems to use GetTickCount to generate a 
random filename: 
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/kernel32/file/file.c?revision=48845&view=markup 
(look for GetTempFilenameW)

Regards,
Sven



More information about the fpc-pascal mailing list