The implementation of mkstemp() for MinGW uses mktemp() and open()
without the flag O_EXCL, which is racy. It's not a security problem
for now because all of its callers only create files within the
repository (incl. worktrees). Replace it with a call to our more
secure internal function, git_mkstemp_mode(), to prevent possible
future issues.
Signed-off-by: René Scharfe <l.s.r@xxxxxx>
---
compat/mingw.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/compat/mingw.c b/compat/mingw.c
index 2607de93af..b5502997e2 100644
--- a/compat/mingw.c
+++ b/compat/mingw.c
@@ -1059,10 +1059,7 @@ char *mingw_mktemp(char *template)
int mkstemp(char *template)
{
- char *filename = mktemp(template);
- if (!filename)
- return -1;
- return open(filename, O_RDWR | O_CREAT, 0600);
+ return git_mkstemp_mode(template, 0600);
}
int gettimeofday(struct timeval *tv, void *tz)
--
2.37.0
