Fix security warning generated by std::tmpnam #105987
No reviewers
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#105987
Loading…
Reference in New Issue
No description provided.
Delete Branch "Sergey:fix-tmpnam"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Effectively replicate the behavior of the function in the manner
which is used for autosave file.
There might be better a solution which is cross-platform and does
not suffer from the time of check, time of use (TOCTOU) vector of
attack. This seems to be a bigger project to figure out, so until
then silence the warning: it is fine since the directory is only
used to chdir to, so worst case an external attacker can introduce
is a test failure.
@blender-bot build
This is the first usage of
std::filesystem
in Blender. We can use that now with macOS 10.15 as the minimum, however there were also other concerns in #90379.In particular, the BLI API assumes utf-8 but
std::filesystem
does not on Windows, so this may fail if the temp directory includes non-ascii characters.Maybe it's easier to not use a temporary directory, but use a fixed one like
tests/fileops
similar totests/cycles
ortests/io_curve_svg
.I am not sure why it is considered to be important how the
fs::path
stores data internally. It stores the data in the native to the OS manner, which avoids conversion to the wide character format on every file system access (which is required when one uses UTF-8 for the storage).In the issue you've linked the statement goes by "needs investigation", so not sure how that is escalated to a "concern". In practice there are some tricky aspects of getting UTF-8 path to
fs::path
, however those are non-intuitive mainly C++20. In C++17 theu8path
does the proper thing in a cross-platform manner (at least in own tests). The tricky part is the C++20 which declaresu8path
deprecated and tells to usepath(u8string)
constructor signature, and that did not seem to work correctly. The access to the UTF-8 string is something thatgeneric_u8string()
(and that is something it seems I've missed in the original patch).Interestingly, there is no difference in the behavior of
std::tmpnam()
andfs::temp_directory_path()
: they both encode non-ASCII part of a path in some coding scheme, and it does not matter whethergeneric_string()
orgeneric_u8string()
was used.I've updated the patch so that it avoids use of
std::filesystem
, but I do not think it solves more problems than introduces new. The comparison with theio_curve_svg
I do not find really fair: it usestests/io_curve_svg
to store data which is considered an output. For the temporary files it still uses Python's tempfile.Adding such explicit temporary directory specification makes it tricky to understand what is to be used and when. Like, why the fileops test has to use this explicit temporary directory, but the PLY test can use the generic Blender temporary directory.
And last but not least, with such change it is required to pass an extra command line argument to the test so that
./bin/tests/blenlib_test --gtest_filter='*change_working_directory'
is no longer enough (and keeping tests as easy to run as possible is something I find important).The proper solution could be to move
where_is_temp
to BLI. It provides close-to-XDG way of accessing the temp directory, and is not really Blender application specific, so it is not really justified to be in the BKE. Doing so also moves us closer to the more proper and transparent substitute of thestd::filepath
.So if there is really requirement of avoiding
std::filesystem
the proper solution would require to first un-entangle some extra mess in the BKE/BLI. It should happen as a separate review. As for this change, I really do not feel motivated committing this mess, so closing.Pull request closed