Re: PATCH: NSPathUtilities etc

[Alexander Malmberg]

Sheldon Gill wrote:
> > Some more comments on NSPathUtilities.m. I think I'd be ready to commit
> > this after addressing these comments.

It's late, and I haven't had time to look at the patches in detail yet,
but I'm still not really happy about the general idea. A configuration
file in /etc does make sense, though, if you're running on a "normal"
un*x system, so for those cases, I guess it's ok.

(Would be nice if the configuration system was easily pluggable, so that
"unnormal" unix-like systems could have GNUstep configure itself in some
convenient way (eg. LinuxSTEP or GNUstep on Darwin), but that can come
later.)

[snip]
> > > /**
> > >  * Returns the name of a directory in which temporary files can be
> > > stored.<br/ >
> > >  * For unix-like systems this is usually '/tmp'.<br/ >
> > >  * For MS-Windows systems this is the system temporary directory,
> > > often '%WINDIR%\TEMP\'.<br/ >
> > >  */
> > > NSString
> > > *NSTemporaryDirectory(void)
> >
> > Why did you take out the creation of a secure subdirectory of temp?
> 
> This is a bigger question.

NSTemporaryDirectory has been implemented and _documented_ as returning
a secure, this-user-only directory for a long time. Both code in GNUstep
and outside GNUstep depends on this. Changing this would break things
and introduce subtle security holes and information leaks.

IMHO, it'd take _extreme_ reasons to change documented behavior with
such consequences. For this reason, if no other, I think the behavior
should remain as it is.

> Firstly, the existing code isn't really secure. You can circumvent it.

Then that should be fixed. How is it broken?

At a quick glance, it seems ok (on posix systems) aside from not
returning nil if the directory creation fails (at least it logs in that
case). I'll fix that tomorrow.

> I
> looked at changing that but things start getting quite complex.

GNUstep needs a secure temporary directory in a couple of places, so we
have to solve it anyway.

- Alexander Malmberg