[New-bugs-announce] [issue42278] Remove usage of tempfile.mktemp in stdlib
E. Paine
report at bugs.python.org
Fri Nov 6 09:57:52 EST 2020
New submission from E. Paine <paineelisha at gmail.com>:
Currently, there are many uses of `tempfile.mktemp` in the stdlib. I couldn't find an issue where this has already been discussed, but I think the usage of mktemp in the stdlib should be completely reviewed. I grepped the Lib and a slightly filtered version is the following:
Lib/asyncio/windows_utils.py:34: address = tempfile.mktemp(
Lib/distutils/command/bdist_wininst.py:185: archive_basename = mktemp()
Lib/distutils/util.py:386: (script_fd, script_name) = None, mktemp(".py")
Lib/msilib/__init__.py:214: filename = mktemp()
Lib/multiprocessing/connection.py:81: return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
Lib/multiprocessing/connection.py:83: return tempfile.mktemp(prefix=r'\.\pipe\pyc-%d-%d-' %
Lib/pydoc.py:1620: filename = tempfile.mktemp()
Lib/test/bisect_cmd.py:75: tmp = tempfile.mktemp()
Lib/test/test_bytes.py:1193: tfn = tempfile.mktemp()
Lib/test/test_contextlib.py:316: tfn = tempfile.mktemp()
Lib/test/test_doctest.py:2724: >>> fn = tempfile.mktemp()
Lib/test/test_doctest.py:2734: >>> fn = tempfile.mktemp()
Lib/test/test_doctest.py:2744: >>> fn = tempfile.mktemp()
Lib/test/test_faulthandler.py:51: filename = tempfile.mktemp()
Lib/test/test_shutil.py:1624: filename = tempfile.mktemp(dir=dirname)
Lib/test/test_shutil.py:1935: dst_dir = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/test_shutil.py:2309: name = tempfile.mktemp(dir=os.getcwd())
Lib/test/test_shutil.py:272: filename = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/test_shutil.py:677: dst = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/test_socket.py:699: path = tempfile.mktemp(dir=self.dir_path)
Lib/test/test_socketserver.py:100: fn = tempfile.mktemp(prefix='unix_socket.', dir=dir)
I am hoping this issue will be spotted as I couldn't find who to add to the nosy for this. I think, bearing in mind that use of this method is a security issue, we should reduce this number as low as feasible (though, I am sure that a number of those will have good reasons for using mktemp, and will be doing so in a safe way).
----------
components: Library (Lib)
messages: 380450
nosy: epaine
priority: normal
severity: normal
status: open
title: Remove usage of tempfile.mktemp in stdlib
type: security
versions: Python 3.10, Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42278>
_______________________________________
More information about the New-bugs-announce
mailing list