Dangerous behaviour of mktemp when unknown flags are used

Denys Vlasenko vda.linux at googlemail.com
Tue Apr 17 13:48:20 UTC 2012


On Tue, Apr 10, 2012 at 4:24 AM, John Spencer
<maillist-busybox at barfooze.de> wrote:
> (this is busybox 1.19.2)
>
> /src/build/zlib-1.2.6/Makefile:tempfile := $(shell mktemp -u __XXXXXX)
>
> mktemp: illegal option: u
> BusyBox v1.19.2 (2012-04-08 20:17:39 GMT) multi-call binary.
>
> Usage: mktemp [-dt] [-p DIR] [TEMPLATE]
>
> ....
>
> zlibs Makefile uses mktemp -u without testing if it returns a result and
> then happily uses the variable to delete and create stuff.
>
> i don't think it's a good idea that the binary doesn't ignore (or only warn
> about the wrong config on stderr) and still return some usable string to the
> caller.

It doesn't return anything:

$ busybox mktemp -u 2>/dev/null
<nothing>
$

The entire output went to stderr. None is on stdout.
This is as correct handling of unknown option as it can get.

> i don't think that option is hard to add btw, would probably only involve
> about 5 loc.

Care to send a patch if it's so easy?

-- 
vda


More information about the busybox mailing list