[Python-3000] Support for newline and encoding arguments to open in tempfile module, also mktemp deprecation
Guido van Rossum
guido at python.org
Mon Aug 27 03:51:39 CEST 2007
On 8/26/07, Adam Hupp <adam at hupp.org> wrote:
> It would be useful to support 'newline' and 'encoding' arguments in
> tempfile.TemporaryFile and friends. These new arguments would be
> passed directly into io.open. I've uploaded a patch for this to:
> The 'bufsize' argument to os.fdopen has changed to 'buffering' so I
> went ahead and made the same change to TemporaryFile etc. Is this a
Hm, why not just create the temporary file in binary mode and wrap an
io.TextIOWrapper instance around it?
> While in tempfile, I noticed that tempfile.mktemp() has the following comment:
> "This function is unsafe and should not be used."
> The docs list it as "Deprecated since release 2.3". Should it be
> removed in py3k?
I personally think the deprecation was an overreaction to the security
concerns. People avoid the warning by calling mkstemp() but then just
close the file descriptor and use the filename anyway; that's just as
unsafe, but often there's just no other way. I say, remove the
The attack on mktemp() is much less likely because the name is much
more random anyway.
(If you haven't heard of the attack: another process could guess the
name of the tempfile and quickly replacing it with a symbolic link
pointing to a file owned by the user owning the process, e.g.
/etc/passwd, which will then get overwritten. This is because /tmp is
writable by anyone. It works for non-root users too, to some extent.)
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-3000