[Patches] Patch to make tempfile return random filenames

Sat, 20 May 2000 20:55:40 +0200

--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

This patch changes tempfile to return a random filename. The reason for
then change is that predictable filenames can be a security-problem,
because other users can make symlinks thus causing you to overwrite one
of your own files.

A side-effect is that the filename will be uniq without the need for a
counter, and thus removing the problem of filenames not beeing uniq
after a fork.

The filenames would also be uniq without the pid-part, but I left it
there because it's practical for debugging and such.

-- 
Ragnar Kjørstad

--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=disclamer

I confirm that, to the best of my knowledge and belief, this
contribution is free of any claims of third parties under
copyright, patent or other rights or interests ("claims").  To
the extent that I have any such claims, I hereby grant to CNRI a
nonexclusive, irrevocable, royalty-free, worldwide license to
reproduce, distribute, perform and/or display publicly, prepare
derivative versions, and otherwise use this contribution as part
of the Python software and its related documentation, or any
derivative versions thereof, at no cost to CNRI or its licensed
users, and to authorize others to do so.

I acknowledge that CNRI may, at its sole discretion, decide
whether or not to incorporate this contribution in the Python
software and its related documentation.  I further grant CNRI
permission to use my name and other identifying information
provided to CNRI by me for use in connection with the Python
software and its related documentation.

--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="tempfile.random.patch"

Index: src/Doc/lib/libtempfile.tex
===================================================================
RCS file: /projects/cvsroot/python/dist/src/Doc/lib/libtempfile.tex,v
retrieving revision 1.12
diff -c -r1.12 libtempfile.tex
*** libtempfile.tex	1999/04/21 17:01:15	1.12
--- libtempfile.tex	2000/05/20 18:50:45
***************
*** 18,25 ****

  \begin{funcdesc}{mktemp}{}
  Return a unique temporary filename.  This is an absolute pathname of a
! file that does not exist at the time the call is made.  No two calls
! will return the same filename.
  \end{funcdesc}

  The module uses two global variables that tell it how to construct a
--- 18,24 ----

  \begin{funcdesc}{mktemp}{}
  Return a unique temporary filename.  This is an absolute pathname of a
! randomly generated filename
  \end{funcdesc}

  The module uses two global variables that tell it how to construct a
***************
*** 43,52 ****
  \var{pid} is the current process ID (on \UNIX{}), or \file{tmp} (all
  other systems).
  \end{datadesc}
- 
- \strong{Warning:} if a \UNIX{} process uses \code{mktemp()}, then
- calls \function{fork()} and both parent and child continue to use
- \function{mktemp()}, the processes will generate conflicting temporary
- names.  To resolve this, the child process should assign \code{None} to
- \code{template}, to force recomputing the default on the next call
- to \function{mktemp()}.
--- 42,44 ----
Index: src/Lib/tempfile.py
===================================================================
RCS file: /projects/cvsroot/python/dist/src/Lib/tempfile.py,v
retrieving revision 1.21
diff -c -r1.21 tempfile.py
*** tempfile.py	2000/04/24 13:28:02	1.21
--- tempfile.py	2000/05/20 18:50:46
***************
*** 6,11 ****
--- 6,12 ----

  import os
+ import random

  # Parameters that the caller may set to override the defaults
***************
*** 92,112 ****
      return template

- # Counter for generating unique names
- 
- counter = 0
- 
- 
  def mktemp(suffix=""):
      """User-callable function to return a unique temporary file name."""
-     global counter
      dir = gettempdir()
      pre = gettempprefix()
!     while 1:
!         counter = counter + 1
!         file = os.path.join(dir, pre + `counter` + suffix)
!         if not os.path.exists(file):
!             return file

  class TemporaryFileWrapper:
--- 93,104 ----
      return template

  def mktemp(suffix=""):
      """User-callable function to return a unique temporary file name."""
      dir = gettempdir()
      pre = gettempprefix()
!     rand = str(random.randit(0, 1000000))
!     file = os.path.join(dir, pre + rand + suffix)

  class TemporaryFileWrapper:

--a8Wt8u1KmwUX3Y2C--