Menu
▾
▴
Re: [naviserver-devel] ns_mktemp
|
From: Georg L. <jor...@ma...> - 2024-10-07 17:33:53
|
On 10/7/24 12:54, Gustaf Neumann (sslmail) wrote: > Dear all. > [..] However, there are many cases, where existing programs use > "ns_mkstemp", which cannot be replaced easily. When looking at > OpenACS, I see 33 cases like - the temporary name is passed to an > external program (e.g. "tar", "zip", image creation), or - the > temporaryname is passed to a Tcl function expecting a filename (e.g. > "file copy"). So, dropping the support for "ns_mkstemp" fully is not a > good option. Also, providing a "home-cooked" version of "ns_mktemp" is > not good either (both in Tcl or in C), since technically speaking, > this will not be better than the original function having the same > problems. Ignoring the compilation warning is not good either, since > sooner or later, the deprecated function will be removed. What should > we do? - place "ns_mktemp" into an external module? NaviServer will > compile nicely, but applications like OpenACS will have to load the > module, making administration and migration to NaviServer 5 less > smooth. - Call the safe function (e.g. mkstemp()) and delete the file, > while producing a depreciation message? This could also be done on the > Tcl-level. I like this option best. It maintains backward compatibility for the application, encourages update to more secure approaches, discourages future use - especially when accompanied by respective hints in the documentation - and removes the warnings for up-to-date applications. At some time in the future, the wrapped ns_mktemp could then be deprecated and moved out into an external module, which still allows legacy operations to continue using it, while raising the bar. Best Regards, Georg > Other options? Opinions? All the best > -g [1] > https://pubs.opengroup.org/onlinepubs/009695399/functions/mktemp.html > [1] https://man.openbsd.org/OpenBSD-7.5/mkstemp.3 > > > _______________________________________________ > naviserver-devel mailing list > nav...@li... > https://lists.sourceforge.net/lists/listinfo/naviserver-devel |