Use of deprecated function (mktemp)
Description
The `mktemp` function should no longer be used due to multiple flaws. Some implementations created random files by using known information like the process ID and a single letter. This allows for possible race conditions where an attacker could guess or manipulate these files prior to them being used. Consider using the `mkstemp` function instead, but be aware it also contains possible risks. Ensure the process has called the `umask` function with restricted permissions prior to calling `mkstemp` and validate the permissions prior to using the file descriptor.
Examples
Insecure Code
c
FILE *fp = fopen(mktemp(template), "w");Secure Code
c
int fd = mkstemp(template); if (fd != -1) { FILE *fp = fdopen(fd, "w"); }Remediation
Replace `mktemp` with `mkstemp` and ensure proper permissions are set using `umask`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0618 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-377 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | temporary files, race conditions |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |