bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#530087: gettext: bashism in /bin/sh script (fwd)

From: Eric Blake
Subject: Re: Bug#530087: gettext: bashism in /bin/sh script (fwd)
Date: Fri, 24 Jul 2009 12:41:07 -0600
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.6.666 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Santiago Vila on 7/24/2009 5:00 AM:
> We have the goal of allowing /bin/sh to be dash by default, in which case,
> the code shown does not get the extra randomness provided by $RANDOM,
> so it would be considered as unsecure code.

This is not unsecure code.  This recipe is borrowed from the autoconf
manual.  While it is true that on bash it is less predictable thanks to
the properties of $RANDOM, it is still secure under dash where $RANDOM
expands to nothing.  Why?  Because mkdir is atomic, so as long as you
guarantee that mkdir has a successful exit status, the lack of a random
file name still doesn't hurt your ability to make a secure temporary
directory.

http://www.gnu.org/software/autoconf/manual/autoconf.html#Limitations-of-Usual-Tools
under mktemp

> 
> checkbashisms' output:
>> possible bashism in ./usr/bin/autopoint line 55 ($RANDOM):
>>     tmp=$TMPDIR/gt$$-$RANDOM
>> possible bashism in ./usr/bin/gettextize line 55 ($RANDOM):
>>     tmp=$TMPDIR/gt$$-$RANDOM
> 

- --
Don't work too hard, make some time for fun as well!

Eric Blake             address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpqAEMACgkQ84KuGfSFAYAuzgCgrCCWoUr/9vzCniQusz/7UoQ3
R70An3vZWJ1Oi0C5WWFaQd7vOlzfyCdW
=0usx
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]