Re: [naviserver-devel] ns_mktemp

Mon, 07 Oct 2024 10:34:08 -0700 

On 10/7/24 12:54, Gustaf Neumann (sslmail) wrote:

Dear all.
[..] However, there are many cases, where existing programs use "ns_mkstemp", which cannot be replaced easily. When looking at OpenACS, I see 33 cases like - the temporary name is passed to an external program (e.g. "tar", "zip", image creation), or - the temporaryname is passed to a Tcl function expecting a filename (e.g. "file copy"). So, dropping the support for "ns_mkstemp" fully is not a good option. Also, providing a "home-cooked" version of "ns_mktemp" is not good either (both in Tcl or in C), since technically speaking, this will not be better than the original function having the same problems. Ignoring the compilation warning is not good either, since sooner or later, the deprecated function will be removed. What should we do? - place "ns_mktemp" into an external module? NaviServer will compile nicely, but applications like OpenACS will have to load the module, making administration and migration to NaviServer 5 less smooth. - Call the safe function (e.g. mkstemp()) and delete the file, while producing a depreciation message? This could also be done on the Tcl-level. 


I like this option best. It maintains backward compatibility for the 
application, encourages update to more secure approaches, discourages 
future use - especially when accompanied by respective hints in the 
documentation - and removes the warnings for up-to-date applications.



At some time in the future, the wrapped ns_mktemp could then be 
deprecated and moved out into an external module, which still allows 
legacy operations to continue using it, while raising the bar.


Best Regards,

  Georg


Other options? Opinions? All the best

-g [1] 
https://pubs.opengroup.org/onlinepubs/009695399/functions/mktemp.html 
[1] https://man.openbsd.org/OpenBSD-7.5/mkstemp.3



_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel






















					Reply via email to