Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Trickle Down Bugs: Who broke our code?

by Anonymous Monk
on Jun 12, 2018 at 22:40 UTC ( #1216513=perlquestion: print w/replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I dug out some old code and tried to run on 5.26.2:
Unimplemented: POSIX::tmpnam(): use File::Temp instead at POSIX.pm line 185.
Now I have to edit a module? Great! This is apparently why:
"POSIX.1-2008 marks tmpnam() as obsolete."
"Note: avoid using these functions; use mkstemp(3) or tmpfile(3) instead."
man7.org/linux/man-pages/man3/tmpnam.3.html
My question is why are POSIX, and by extension Perl, breaking our code because *they* made a mistake? Why didn't they fix tmpnam() as if lives depended on not breaking standards? I hope no pacemakers use this C routine. By not making one fix they broke probably vast numbers of programs. I guess someone who knows how could grep github to see the damage.

Replies are listed 'Best First'.
Re: Trickle Down Bugs: Who broke our code?
by ikegami (Pope) on Jun 13, 2018 at 05:20 UTC

    Because the problem with tmpnam is its interface, it's impossible to fix without breaking code.

Re: Trickle Down Bugs: Who broke our code?
by afoken (Abbot) on Jun 13, 2018 at 21:22 UTC

    Well, you could monkey-patch a tmpname implementation into the POSIX namespace.

    BUT:

    The POSIX module promises to provide you with an interface "to access all (or nearly all) the standard POSIX 1003.1 identifiers.". So everything in the POSIX namespace should / shall / must behave according to POSIX. Implementing a POSIX::tmpnam() that does something completely different will cause even more trouble.

    POSIX has specified the behaviour of tmpnam(), probably after it was implemented everywhere. And unfortunately, tmpnam() just sucks. The problem is explained in https://linux.die.net/man/3/tmpnam and other places. Short: You build huge gapping security holes when using tmpnam(). Quoting the man page:

    Bugs

    Never use this function.

    The clean way to handle temp files is File::Temp, and use the file handles instead of file names. Of course, this will require changes to the existing code. But those changes will remove the security holes introduced by tmpnam().

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re: Trickle Down Bugs: Who broke our code?
by karlgoethebier (Monsignor) on Jun 13, 2018 at 14:13 UTC
    "...Who broke our code"

    I'm not sure. Probably it was the author?

    It might be easier to install perlbrew instead of rewriting your beloved toolchain:

    karls-mac-mini:hook karl$ perl -MPOSIX=tmpnam -e 1 Unimplemented: POSIX::tmpnam(): use File::Temp instead at /Users/karl/ +perl5/perlbrew/perls/perl-5.26.2/lib/5.26.2/darwin-2level/POSIX.pm li +ne 185. Unimplemented: POSIX::tmpnam() at -e line 0. BEGIN failed--compilation aborted. karls-mac-mini:hook karl$ perlbrew list 5.14.2threads perl-5.16.2 perl-5.16.3 perl-5.17.7 perl-5.18.0 perl-5.18.1 perl-5.18.2 perl-5.18.2threads perl-5.20.0 perl-5.20.0threads perl-5.22.1-threads perl-5.24.1threads * perl-5.26.2 karls-mac-mini:hook karl$ perlbrew use perl-5.24.1threads karls-mac-mini:hook karl$ perl -MPOSIX=tmpnam -e 1

    Yes, i know ... it's just a callow idea for the rescue in a hurry.

    Best regards, Karl

    «The Crux of the Biscuit is the Apostrophe»

    perl -MCrypt::CBC -E 'say Crypt::CBC->new(-key=>'kgb',-cipher=>"Blowfish")->decrypt_hex($ENV{KARL});'Help

Re: Trickle Down Bugs: Who broke our code?
by taint (Chaplain) on Jun 13, 2018 at 02:36 UTC
    LOL maybe:
    use POSIX qw(no tmpnam);
    ;-)

    ˇλɐp ʇɑəɹ⅁ ɐ əʌɐɥ puɐ ʻꜱdləɥ ꜱᴉɥʇ ədoH

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1216513]
Approved by taint
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2018-12-10 11:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How many stories does it take before you've heard them all?







    Results (48 votes). Check out past polls.

    Notices?
    • (Sep 10, 2018 at 22:53 UTC) Welcome new users!