lib/commonio.c: Use unpredictable temporary names #1497
+27
−29
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stoeckmann
commented
Jan 11, 2026
stoeckmann
force-pushed
the
commonio_exclusive
branch
2 times, most recently
from
31a3f54 to
718ccee
Compare
stoeckmann
force-pushed
the
commonio_exclusive
branch
2 times, most recently
from
4d9ab38 to
92e2db5
Compare
stoeckmann
force-pushed
the
commonio_exclusive
branch
from
92e2db5 to
82b351e
Compare
stoeckmann
force-pushed
the
commonio_exclusive
branch
4 times, most recently
from
e22b9ab to
da37106
Compare
alejandro-colomar
approved these changes
Jan 12, 2026
Collaborator
alejandro-colomar
left a comment
alejandro-colomar
left a comment
There was a problem hiding this comment.
LGTM. Thanks!
Reviewed-by: Alejandro Colomar <[email protected]>
hallyn
reviewed
Jan 13, 2026
| FILE *bkfp; | ||
| int c; | ||
|
|
||
| stprintf_a(tmpf, "%s.cioXXXXXX", name); |
Member
There was a problem hiding this comment.
I do wish that this and the next stprintf_a also returned an error if
Collaborator
There was a problem hiding this comment.
Yeah, we could return -1 if it fails. After all, this function already reports some errors, and this is clearly an error.
It doesn't make sense to keep a file around if it's not even a proper backup. Signed-off-by: Tobias Stoeckmann <[email protected]>
Make sure that an attacker with sufficient privileges cannot simply create a file with expected temporary name to retrieve content of previous and/or future database. Signed-off-by: Tobias Stoeckmann <[email protected]>
Make sure that enough bytes exist for file name of temporary file which is used to construct the next database file. While at it, use a better variable name. Signed-off-by: Tobias Stoeckmann <[email protected]>
stoeckmann
force-pushed
the
commonio_exclusive
branch
from
da37106 to
d4e220d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Make sure that an attacker with sufficient privileges cannot simply create a file with expected temporary name to retrieve content of previous and/or future database.
Not as thoroughly tested as usual, but given that #1485 is basically the same and planned to be added to 4.19.1, this should be investigated as well.
In fact, this one is slightly worse because it affects every database write, even the ones with
--prefixwhich could point into directories which are not as protected as/etc.Still no serious security issue in my point of view, but better be safe than sorry and protect against it.