m4 2.0 maketemp vs. mkstemp

[Eric Blake]

The Austin group has recommended that for the next version of POSIX, m4's 
maketemp macro be deprecated as insecure (POSIX specifies it to replace 
trailing X's with the pid without regards to file existence, which makes it 
easy for an attacker to provide a substitute file), and add a new macro mkstemp 
that matches the current M4 1.4.x maketemp semantics [1] (based on mkstemp(3) 
semantics).  As a result, I will be patching CVS m4 to emit a warning on use of 
maketemp, and that will cause autom4te to fail if anyone is using m4sugar's 
current m4_maketemp.  So I propose this patch, which adds m4_mkstemp, and makes 
m4_maketemp and m4_mkstemp synonyms (both pointing to the non-warning variant 
provided by the underlying M4).  OK to apply?

[1] See the thread at 
http://www.opengroup.org/austin/mailarchives/ag/msg09834.html; if you are an 
Austin group member (free registration), you can also login to read the 
referenced proposed interpretation 117.

2006-10-19  Eric Blake  <address@hidden>

        * lib/m4sugar/m4sugar.m4 (m4_maketemp): Avoid warnings generated
        by M4 1.9a.
        * lib/emacs/autoconf-mode.el (autoconf-font-lock-keywords):
        Color m4_mkstemp.
        * doc/autoconf.texi (Redefined M4 Macros): Document m4_mkstemp.

Index: lib/m4sugar/m4sugar.m4
===================================================================
RCS file: /sources/autoconf/autoconf/lib/m4sugar/m4sugar.m4,v
retrieving revision 2.99
diff -u -r2.99 m4sugar.m4
--- lib/m4sugar/m4sugar.m4      20 Jun 2006 05:35:38 -0000      2.99
+++ lib/m4sugar/m4sugar.m4      19 Oct 2006 16:46:56 -0000
@@ -140,7 +140,11 @@
 m4_rename_m4([len])
 m4_rename([m4exit], [m4_exit])
 m4_rename([m4wrap], [m4_wrap])
-m4_rename_m4([maketemp])
+m4_ifdef([mkstemp],
+ [m4_rename_m4([mkstemp])
+  m4_copy([m4_mkstemp], [m4_maketemp])],
+ [m4_rename_m4([maketemp])
+  m4_copy([m4_maketemp], [m4_mkstemp])])
 m4_rename([patsubst], [m4_bpatsubst])
 m4_undefine([popdef])
 m4_rename_m4([pushdef])
Index: doc/autoconf.texi
===================================================================
RCS file: /sources/autoconf/autoconf/doc/autoconf.texi,v
retrieving revision 1.1096
diff -u -r1.1096 autoconf.texi
--- doc/autoconf.texi   17 Oct 2006 02:31:44 -0000      1.1096
+++ doc/autoconf.texi   19 Oct 2006 16:56:58 -0000
@@ -9752,7 +9752,6 @@
 @msindex{index}
 @msindex{indir}
 @msindex{len}
address@hidden
 @msindex{pushdef}
 @msindex{shift}
 @msindex{substr}
@@ -9856,6 +9855,20 @@
 to recover the behavior of the builtin.
 @end defmac
 
address@hidden m4_maketemp (@var{template})
address@hidden m4_mkstemp (@var{template})
address@hidden
address@hidden
+Posix requires @code{maketemp} to replace the trailing @samp{X}
+characters in @var{template} with the process id, without regards to the
+existence of a file by that name, but this a security hole.  When this
+was pointed out to the Posix folks, they agreed to invent a new macro
address@hidden that always creates a uniquely named file, but not all
+versions of @acronym{GNU} M4 support the new macro.  In M4sugar,
address@hidden and @code{m4_mkstemp} are synonyms for each other,
+and both have the secure semantics regardless of which macro the
+underlying M4 provides.
address@hidden defmac
 
 
 @node Looping constructs
@@ -19135,4 +19148,6 @@
 @c Local Variables:
 @c fill-column: 72
 @c ispell-local-dictionary: "american"
address@hidden indent-tabs-mode: nil
address@hidden whitespace-check-buffer-indent: nil
 @c End:
Index: lib/emacs/autoconf-mode.el
===================================================================
RCS file: /sources/autoconf/autoconf/lib/emacs/autoconf-mode.el,v
retrieving revision 1.4
diff -u -r1.4 autoconf-mode.el
--- lib/emacs/autoconf-mode.el  14 May 2005 07:00:40 -0000      1.4
+++ lib/emacs/autoconf-mode.el  19 Oct 2006 17:09:59 -0000
@@ -6,7 +6,7 @@
 
 ;; This file is part of Autoconf
 
-;; Copyright 2001 Free Software Foundation, Inc.
+;; Copyright 2001, 2006 Free Software Foundation, Inc.
 ;;
 ;; This program is free software; you can redistribute it and/or modify
 ;; it under the terms of the GNU General Public License as published by
@@ -40,7 +40,7 @@
 (defvar autoconf-font-lock-keywords
   `(("\\bdnl \\(.*\\)"  1 font-lock-comment-face t)
     ("address@hidden" . font-lock-variable-name-face)
-    ("\\b\\(m4_\\)?\\(builtin\\|change\\(com\\|quote\\|word\\)
\\|d\\(e\\(bug\\(file\\|mode\\)\\|cr\\|f\\(ine\\|n\\)\\)\\|iv\\(ert\\|num\\)
\\|nl\\|umpdef\\)\\|e\\(rrprint\\|syscmd\\|val\\)\\|f\\(ile\\|ormat\\)
\\|gnu\\|i\\(f\\(def\\|else\\)\\|n\\(c\\(lude\\|r\\)\\|d\\(ex\\|ir\\)\\)\\)
\\|l\\(en\\|ine\\)\\|m\\(4\\(exit\\|wrap\\)\\|aketemp\\)
\\|p\\(atsubst\\|opdef\\|ushdef\\)
\\|regexp\\|s\\(hift\\|include\\|ubstr\\|ys\\(cmd\\|val\\)\\)
\\|tra\\(ceo\\(ff\\|n\\)\\|nslit\\)\\|un\\(d\\(efine\\|ivert\\)\\|ix\\)\\)
\\b" . font-lock-keyword-face)
+    ("\\b\\(m4_\\)?\\(builtin\\|change\\(com\\|quote\\|word\\)
\\|d\\(e\\(bug\\(file\\|mode\\)\\|cr\\|f\\(ine\\|n\\)\\)\\|iv\\(ert\\|num\\)
\\|nl\\|umpdef\\)\\|e\\(rrprint\\|syscmd\\|val\\)\\|f\\(ile\\|ormat\\)
\\|gnu\\|i\\(f\\(def\\|else\\)\\|n\\(c\\(lude\\|r\\)\\|d\\(ex\\|ir\\)\\)\\)
\\|l\\(en\\|ine\\)\\|m\\(4\\(exit\\|wrap\\)\\|aketemp\\|kstemp\\)
\\|p\\(atsubst\\|opdef\\|ushdef\\)
\\|regexp\\|s\\(hift\\|include\\|ubstr\\|ys\\(cmd\\|val\\)\\)
\\|tra\\(ceo\\(ff\\|n\\)\\|nslit\\)\\|un\\(d\\(efine\\|ivert\\)\\|ix\\)\\)
\\b" . font-lock-keyword-face)
     ("^\\(\\(m4_\\)?define\\|A._DEFUN\\|m4_defun\\)(\\[?\\([A-Za-z0-9_]+\\)" 3 
font-lock-function-name-face)
     "default font-lock-keywords")
 )