Replace tmpnam() with mkstemp() to avoid possible /tmp race.

Problem found by David Wagner (among others).

2 files changed, 15 insertions, 23 deletions

diff --git a/usr.sbin/httpd/src/support/htdigest.c b/usr.sbin/httpd/src/support/htdigest.c
index 120ec86dffa..319d02bb95f 100644
--- a/usr.sbin/httpd/src/support/htdigest.c
+++ b/usr.sbin/httpd/src/support/htdigest.c
@@ -94,7 +94,7 @@
 
 #define MAX_STRING_LEN 256
 
-char *tn;
+static char tn[MAX_STRING_LEN];
 
 
 static void getword(char *word, char *line, char stop)
@@ -157,7 +157,7 @@ static void add_password(char *user, char *realm, FILE *f)
     ap_getpass("Re-type new password: ", pwv, sizeof(pwv));
     if (strcmp(pwin, pwv) != 0) {
 	fprintf(stderr, "They don't match, sorry.\n");
-	if (tn) {
+	if (tn[0] != '\0') {
 	    unlink(tn);
 	}
 	exit(1);
@@ -188,7 +188,7 @@ static void usage(void)
 static void interrupted(void)
 {
     fprintf(stderr, "Interrupted.\n");
-    if (tn)
+    if (tn[0] != '\0')
 	unlink(tn);
     exit(1);
 }
@@ -216,8 +216,8 @@ int main(int argc, char *argv[])
     char x[MAX_STRING_LEN];
     char command[MAX_STRING_LEN];
     int found;
+    int tfd;
 
-    tn = NULL;
     signal(SIGINT, (void (*)(int)) interrupted);
     if (argc == 5) {
 	if (strcmp(argv[1], "-c"))
@@ -241,9 +241,10 @@ int main(int argc, char *argv[])
     else if (argc != 4)
 	usage();
 
-    tn = tmpnam(NULL);
-    if (!(tfp = fopen(tn, "w"))) {
-	fprintf(stderr, "Could not open temp file.\n");
+    strcpy(tn, "/tmp/htdigest-XXXXXX");
+    tfd = mkstemp(tn);
+    if (tfd == -1 || (tfp = fdopen(tfd, "w")) == NULL) {
+	fprintf(stderr, "Could not create temp file.\n");
 	exit(1);
     }
 
diff --git a/usr.sbin/httpd/src/support/htpasswd.c b/usr.sbin/httpd/src/support/htpasswd.c
index 5fe1450747f..281c06bc38a 100644
--- a/usr.sbin/httpd/src/support/htpasswd.c
+++ b/usr.sbin/httpd/src/support/htpasswd.c
@@ -125,7 +125,7 @@
  * This needs to be declared statically so the signal handler can
  * access it.
  */
-static char *tempfilename;
+static char tempfilename[MAX_STRING_LEN];
 /*
  * If our platform knows about the tmpnam() external buffer size, create
  * a buffer to pass in.  This is needed in a threaded environment, or
@@ -285,7 +285,7 @@ static int usage(void)
 static void interrupted(void)
 {
     fprintf(stderr, "Interrupted.\n");
-    if (tempfilename != NULL) {
+    if (tempfilename[0] != '\0') {
 	unlink(tempfilename);
     }
     exit(ERR_INTERRUPTED);
@@ -377,8 +377,8 @@ int main(int argc, char *argv[])
     int noninteractive = 0;
     int i;
     int args_left = 2;
+    int tfd;
 
-    tempfilename = NULL;
     signal(SIGINT, (void (*)(int)) interrupted);
 
     /*
@@ -565,21 +565,12 @@ int main(int argc, char *argv[])
      * to add or update.  Let's do it..
      */
     errno = 0;
-    tempfilename = tmpnam(tname_buf);
-    if ((tempfilename == NULL) || (*tempfilename == '\0')) {
-	fprintf(stderr, "%s: unable to generate temporary filename\n",
-		argv[0]);
-	if (errno == 0) {
-	    errno = ENOENT;
-	}
-	perror("tmpnam");
-	exit(ERR_FILEPERM);
-    }
-    ftemp = fopen(tempfilename, "w+");
-    if (ftemp == NULL) {
+    strcpy(tempfilename, "/tmp/htpasswd-XXXXXX");
+    tfd = mkstemp(tempfilename);
+    if (tfd == -1 || (ftemp = fdopen(tfd, "w+")) == NULL) {
 	fprintf(stderr, "%s: unable to create temporary file '%s'\n", argv[0],
 		tempfilename);
-	perror("fopen");
+	perror("open");
 	exit(ERR_FILEPERM);
     }
     /*