On 2008-08-15 11:21 +0200, Riku Voipio wrote: >> mktemp /tmp/$0.$$.XXXXX > > The problem here is that you are using too short template. Try: > > mktemp /tmp/$0.$$.XXXXXXXXXXXXXXXXXXXXXXX > > using only 5 * X as in your version makes your app quite possibly > brute-forceable.
Not really, to make mktemp fail with 5 X's an attacker would have to create 52^5 = 380204032 file names, which would probably make the file system run out of inodes. >> This is the way it should be (Opensuse): > > I suspect opensuse uses the gnu coreutils version of mktemp? Seems so. Opensuse 11.0 no longer has an mktemp package, while their package from 10.3 shows the same behavior as the Debian version. >> I suggest you use > >> a) a mixture of letters and numbers for mktemp > > Which is what mktemp does. You might want to read the manpage > of mktemp. Apart from the pid, mktemp only uses the letters A-Z and a-z. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
