<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Issue 2633: [filesys.ts] [PDTS] unique_path() is a security vulnerability</title>
<meta property="og:title" content="Issue 2633: [filesys.ts] [PDTS] unique_path() is a security vulnerability">
<meta property="og:description" content="C++ library issue. Status: TS">
<meta property="og:url" content="https://cplusplus.github.io/LWG/issue2633.html">
<meta property="og:type" content="website">
<meta property="og:image" content="http://cplusplus.github.io/LWG/images/cpp_logo.png">
<meta property="og:image:alt" content="C++ logo">
<style>
  p {text-align:justify}
  li {text-align:justify}
  pre code.backtick::before { content: "`" }
  pre code.backtick::after { content: "`" }
  blockquote.note
  {
    background-color:#E0E0E0;
    padding-left: 15px;
    padding-right: 15px;
    padding-top: 1px;
    padding-bottom: 1px;
  }
  ins {background-color:#A0FFA0}
  del {background-color:#FFA0A0}
  table.issues-index { border: 1px solid; border-collapse: collapse; }
  table.issues-index th { text-align: center; padding: 4px; border: 1px solid; }
  table.issues-index td { padding: 4px; border: 1px solid; }
  table.issues-index td:nth-child(1) { text-align: right; }
  table.issues-index td:nth-child(2) { text-align: left; }
  table.issues-index td:nth-child(3) { text-align: left; }
  table.issues-index td:nth-child(4) { text-align: left; }
  table.issues-index td:nth-child(5) { text-align: center; }
  table.issues-index td:nth-child(6) { text-align: center; }
  table.issues-index td:nth-child(7) { text-align: left; }
  table.issues-index td:nth-child(5) span.no-pr { color: red; }
  @media (prefers-color-scheme: dark) {
     html {
        color: #ddd;
        background-color: black;
     }
     ins {
        background-color: #225522
     }
     del {
        background-color: #662222
     }
     a {
        color: #6af
     }
     a:visited {
        color: #6af
     }
     blockquote.note
     {
        background-color: rgba(255, 255, 255, .10)
     }
  }
</style>
</head>
<body>
<hr>
<p><em>This page is a snapshot from the LWG issues list, see the <a href="lwg-active.html">Library Active Issues List</a> for more information and the meaning of <a href="lwg-active.html#TS">TS</a> status.</em></p>
<h3 id="2633"><a href="lwg-defects.html#2633">2633</a>. [filesys.ts] [PDTS] <code>unique_path()</code> is a security vulnerability</h3>
<p><b>Section:</b> 15 [filesys.ts::fs.op.funcs] <b>Status:</b> <a href="lwg-active.html#TS">TS</a>
 <b>Submitter:</b> CH-19 <b>Opened:</b> 2014-01-20 <b>Last modified:</b> 2017-07-30</p>
<p><b>Priority: </b>Not Prioritized
</p>
<p><b>View all other</b> <a href="lwg-index.html#filesys.ts::fs.op.funcs">issues</a> in [filesys.ts::fs.op.funcs].</p>
<p><b>View all issues with</b> <a href="lwg-status.html#TS">TS</a> status.</p>
<p><b>Discussion:</b></p>
<p><b>Addresses: filesys.ts</b></p>
<p><code>unique_path()</code> is a security vulnerability. As the Linux manual page for the similar
function <code>tmpnam()</code> writes in the "BUGS" section: "Never use this function. Use <code>mkstemp</code>(3)
or <code>tmpfile</code>(3) instead." <code>mkstemp()</code> and <code>tmpfile()</code> avoid the inherent race condition of
<code>unique_path()</code> by returning an open file descriptor or <code>FILE*</code>.</p>

<p/><i>[Beman Dawes comments: 10 Feb 2014:]</i>
  <blockquote>
    <p>There are two issues here:</p>
    <ul>
      <li>
        Confusion over what unique_path does and how it is used. The function is
        misleadingly named. These issue have arisen in the past, but apparently not
        been fully corrected. The suggested fix is to (1) rename the function and (2)
        provide an example of how to use the function safely with fstreams or even C I/O.
        See below for proposed wording.
      </li>
      <li>
        Very real security concerns. See <a href="lwg-closed.html#2654" title="[filesys.ts] [PDTS] Concerns with security and testability (Status: NAD Future)">2654</a><sup><a href="https://cplusplus.github.io/LWG/issue2654" title="Latest snapshot">(i)</a></sup>. The security
        concerns are probably best dealt with in the next File System TS, since a
        full-blown proposal is needed and will likely take several years to develop.
      </li>
    </ul>

  </blockquote>
  
  <p><i>[
    2014-02-11 Issaquah: Strike the function.
  ]</i></p>


  <p><i>[2014-02-12 The following Proposed resolution from CH-19 was moved here
  to avoid confusion with the final Proposed resolution wording from the WG/SG3.]</i></p>

  <p>
    Remove this function. Consider providing a function <code>create_unique_directory()</code>.
    If it fits the scope of the proposed TS, consider providing functions
    <code>create_unique_file()</code> that returns <code>ifstream</code>, <code>ofstream</code> and <code>iofstream</code>.
  </p>
  <p><i>[
    2014-02-12 The following Proposed wording was moved here
    to avoid confusion with the final Proposed resolution wording from the WG/SG3.
  ]</i></p>

  <p><i>[2014-02-10 Beman Dawes]</i></p>


  <p><strong>Previous resolution from Beman [SUPERSEDED]:</strong></p>
  <blockquote class="note">
  <p>
  <i>Change 15.38 [fs.op.unique_path]:</i>
  </p>
  <pre>
    path <del>unique_path</del><ins>generate_random_filename</ins>(const path&amp; model=&quot;%%%%-%%%%-%%%%-%%%%&quot;);
    path <del>unique_path</del><ins>generate_random_filename</ins>(const path&amp; model, error_code&amp; ec);
  </pre>
  <blockquote>
    <p>
      The <code>
        <del>unique_path</del>
        <ins>generate_random_filename</ins>
      </code> function generates a name suitable for temporary files, including directories. The name is based
      on a model that uses the percent sign character to specify replacement by a
      random hexadecimal digit.
    </p>
    <p>
      [<i>Note:</i> The more bits of randomness in the
      generated name, the less likelihood of prior existence or being guessed.
      Each replacement hexadecimal digit in the model adds four bits of randomness.
      The default model thus provides 64 bits of randomness. <i>--end note</i>]
    </p>
    <p>
      <i>Returns:</i> A path identical to <code>model</code>, except that each
      occurrence of the percent sign character is replaced by a random hexadecimal
      digit character in the range 0-9, a-f. The signature with argument <code>ec</code>
      returns <code>path()</code> if an error occurs.
    </p>
    <p>
      <i>Throws:</i> As specified in Error reporting.
    </p>
    <p>
      <i>Remarks:</i> Implementations are encouraged to obtain the required
      randomness via a <a href="http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator">cryptographically secure pseudo-random number generator</a>, such as one
      provided by the operating system. [<i>Note</i>: Such generators may block
      until sufficient entropy develops. <i>--end note</i>]
    </p>
    <p>
      <p>
        <i>
          <span style="background-color: #e0e0e0">
            Replace this example with one
            that opens a std::ofstream:
          </span>
        </i>
      </p>
      [<i>Example</i>:
    </p>
    <blockquote>
      <pre>
        cout &lt;&lt; <del>unique_path</del><ins>generate_random_filename</ins>(&quot;test-%%%%%%%%%%%.txt&quot;) &lt;&lt; endl;
      </pre>
    </blockquote>
    <p>
      Typical output would be <code>&quot;test-0db7f2bf57a.txt&quot;</code>. Because 11
      hexadecimal output characters are specified, 44 bits of randomness are
      supplied.&nbsp; <i>-- end example</i>]
    </p>
  </blockquote>
</blockquote>



<p id="res-2633"><b>Proposed resolution:</b></p>

  <p/>Remove the two <code>unique_path</code> function signatures from 6 [fs.filesystem.synopsis].

  <p/>Remove 15.38 [fs.op.unique_path] in its entirety.
  
  <p><i>[This removes all references the function from the working draft.]</i></p>

 





</body>
</html>
