mingw: avoid mktemp() in mkstemp() implementation

rscharfe · gitster · commit ae25974de301 · 2022-07-14T22:45:05.000-07:00
The implementation of mkstemp() for MinGW uses mktemp() and open()
without the flag O_EXCL, which is racy.  It's not a security problem
for now because all of its callers only create files within the
repository (incl. worktrees).  Replace it with a call to our more
secure internal function, git_mkstemp_mode(), to prevent possible
future issues.

Signed-off-by: René Scharfe &lt;l.s.r@web.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/compat/mingw.c b/compat/mingw.c
@@ -1044,10 +1044,7 @@ char *mingw_mktemp(char *template)
 
 int mkstemp(char *template)
 {
-	char *filename = mktemp(template);
-	if (filename == NULL)
-		return -1;
-	return open(filename, O_RDWR | O_CREAT, 0600);
+	return git_mkstemp_mode(template, 0600);
 }
 
 int gettimeofday(struct timeval *tv, void *tz)

Original file line number	Diff line number	Diff line change
`@@ -1044,10 +1044,7 @@ char mingw_mktemp(char template)`
`1044`	`1044`
`1045`	`1045`	`int mkstemp(char *template)`
`1046`	`1046`	`{`
`1047`		`- char *filename = mktemp(template);`
`1048`		`- if (filename == NULL)`
`1049`		`- return -1;`
`1050`		`- return open(filename, O_RDWR \| O_CREAT, 0600);`
	`1047`	`+ return git_mkstemp_mode(template, 0600);`
`1051`	`1048`	`}`
`1052`	`1049`
`1053`	`1050`	`int gettimeofday(struct timeval tv, void tz)`