Merge pull request libgit2#6207 from libgit2/ethomson/prng

mktmp: improve our temp file creation

Author: ethomson

COPYING

@@ -1132,3 +1132,15 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.
 
+----------------------------------------------------------------------
+
+The xoroshiro256** implementation is licensed in the public domain:
+
+Written in 2018 by David Blackman and Sebastiano Vigna (vigna@acm.org)
+
+To the extent possible under law, the author has dedicated all copyright
+and related and neighboring rights to this software to the public domain
+worldwide. This software is distributed without any warranty.
+
+See <http://creativecommons.org/publicdomain/zero/1.0/>.
+

src/CMakeLists.txt

@@ -55,6 +55,8 @@ check_prototype_definition(qsort_r
 
 check_function_exists(qsort_s GIT_QSORT_S)
 
+check_function_exists(getentropy GIT_RAND_GETENTROPY)
+
 # Find required dependencies
 
 if(WIN32)

src/features.h.in

@@ -48,4 +48,6 @@
 #cmakedefine GIT_SHA1_OPENSSL 1
 #cmakedefine GIT_SHA1_MBEDTLS 1
 
+#cmakedefine GIT_RAND_GETENTROPY 1
+
 #endif

src/fs_path.c

@@ -1040,8 +1040,8 @@ int git_fs_path_iconv(git_fs_path_iconv_t *ic, const char **in, size_t *inlen)
 	return -1;
 }
 
-static const char *nfc_file = "\xC3\x85\x73\x74\x72\xC3\xB6\x6D.XXXXXX";
-static const char *nfd_file = "\x41\xCC\x8A\x73\x74\x72\x6F\xCC\x88\x6D.XXXXXX";
+static const char *nfc_file = "\xC3\x85\x73\x74\x72\xC3\xB6\x6D";
+static const char *nfd_file = "\x41\xCC\x8A\x73\x74\x72\x6F\xCC\x88\x6D";
 
 /* Check if the platform is decomposing unicode data for us.  We will
  * emulate core Git and prefer to use precomposed unicode data internally
@@ -1054,39 +1054,42 @@ static const char *nfd_file = "\x41\xCC\x8A\x73\x74\x72\x6F\xCC\x88\x6D.XXXXXX";
  */
 bool git_fs_path_does_decompose_unicode(const char *root)
 {
-	git_str path = GIT_STR_INIT;
+	git_str nfc_path = GIT_STR_INIT;
+	git_str nfd_path = GIT_STR_INIT;
 	int fd;
 	bool found_decomposed = false;
-	char tmp[6];
+	size_t orig_len;
+	const char *trailer;
 
 	/* Create a file using a precomposed path and then try to find it
 	 * using the decomposed name.  If the lookup fails, then we will mark
 	 * that we should precompose unicode for this repository.
 	 */
-	if (git_str_joinpath(&path, root, nfc_file) < 0 ||
-		(fd = p_mkstemp(path.ptr)) < 0)
+	if (git_str_joinpath(&nfc_path, root, nfc_file) < 0)
+		goto done;
+
+	/* record original path length before trailer */
+	orig_len = nfc_path.size;
+
+	if ((fd = git_futils_mktmp(&nfc_path, nfc_path.ptr, 0666)) < 0)
 		goto done;
 	p_close(fd);
 
-	/* record trailing digits generated by mkstemp */
-	memcpy(tmp, path.ptr + path.size - sizeof(tmp), sizeof(tmp));
+	trailer = nfc_path.ptr + orig_len;
 
 	/* try to look up as NFD path */
-	if (git_str_joinpath(&path, root, nfd_file) < 0)
+	if (git_str_joinpath(&nfd_path, root, nfd_file) < 0 ||
+	    git_str_puts(&nfd_path, trailer) < 0)
 		goto done;
-	memcpy(path.ptr + path.size - sizeof(tmp), tmp, sizeof(tmp));
 
-	found_decomposed = git_fs_path_exists(path.ptr);
+	found_decomposed = git_fs_path_exists(nfd_path.ptr);
 
 	/* remove temporary file (using original precomposed path) */
-	if (git_str_joinpath(&path, root, nfc_file) < 0)
-		goto done;
-	memcpy(path.ptr + path.size - sizeof(tmp), tmp, sizeof(tmp));
-
-	(void)p_unlink(path.ptr);
+	(void)p_unlink(nfc_path.ptr);
 
 done:
-	git_str_dispose(&path);
+	git_str_dispose(&nfc_path);
+	git_str_dispose(&nfd_path);
 	return found_decomposed;
 }
 

src/futils.c

@@ -10,6 +10,8 @@
 #include "runtime.h"
 #include "strmap.h"
 #include "hash.h"
+#include "rand.h"
+
 #include <ctype.h>
 #if GIT_WIN32
 #include "win32/findfile.h"
@@ -27,23 +29,20 @@ int git_futils_mkpath2file(const char *file_path, const mode_t mode)
 int git_futils_mktmp(git_str *path_out, const char *filename, mode_t mode)
 {
 	const int open_flags = O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC;
-	/* TMP_MAX is unrelated to mktemp but should provide a reasonable amount */
-	unsigned int tries = TMP_MAX;
+	unsigned int tries = 32;
 	int fd;
 
 	while (tries--) {
+		uint64_t rand = git_rand_next();
+
 		git_str_sets(path_out, filename);
-		git_str_puts(path_out, "_git2_XXXXXX");
+		git_str_puts(path_out, "_git2_");
+		git_str_encode_hexstr(path_out, (void *)&rand, sizeof(uint64_t));
 
 		if (git_str_oom(path_out))
 			return -1;
 
-		/* Using mktemp is safe when we open with O_CREAT | O_EXCL */
-		p_mktemp(path_out->ptr);
-		/* mktemp sets template to empty string on failure */
-		if (path_out->ptr[0] == '\0')
-			break;
-
+		/* Note that we open with O_CREAT | O_EXCL */
 		if ((fd = p_open(path_out->ptr, open_flags, mode)) >= 0)
 			return fd;
 	}

src/futils.h

@@ -177,11 +177,12 @@ extern int git_futils_rmdir_r(const char *path, const char *base, uint32_t flags
  * protected directory; the file created will created will honor
  * the current `umask`.  Writes the filename into path_out.
  *
- * This function is *NOT* suitable for use in temporary directories
- * that are world writable.  It uses `mktemp` (for portability) and
- * many `mktemp` implementations use weak random characters.  It
- * should only be assumed to be suitable for atomically writing
- * a new file in a directory that you control.
+ * This function uses a high-quality PRNG seeded by the system's
+ * entropy pool _where available_ and falls back to a simple seed
+ * (time plus system information) when not.  This is suitable for
+ * writing within a protected directory, but the system's safe
+ * temporary file creation functions should be preferred where
+ * available when writing into world-writable (temp) directories.
  *
  * @return On success, an open file descriptor, else an error code < 0.
  */

src/libgit2.c

@@ -20,6 +20,7 @@
 #include "mwindow.h"
 #include "object.h"
 #include "odb.h"
+#include "rand.h"
 #include "refs.h"
 #include "runtime.h"
 #include "sysdir.h"
@@ -70,6 +71,7 @@ int git_libgit2_init(void)
 		git_allocator_global_init,
 		git_threadstate_global_init,
 		git_threads_global_init,
+		git_rand_global_init,
 		git_hash_global_init,
 		git_sysdir_global_init,
 		git_filter_global_init,

src/posix.h

@@ -131,7 +131,6 @@ extern ssize_t p_pwrite(int fd, const void *data, size_t size, off64_t offset);
 
 #define p_close(fd) close(fd)
 #define p_umask(m) umask(m)
-#define p_mktemp(p) mktemp(p)
 
 extern int p_open(const char *path, int flags, ...);
 extern int p_creat(const char *path, mode_t mode);