[Patches] Patch to make tempfile return random filenames
Jeremy Hylton
jeremy@alum.mit.edu
Mon, 22 May 2000 14:13:19 -0700 (PDT)
>>>>> "AMK" == Andrew M Kuchling <akuchlin@mems-exchange.org> writes:
AMK> I think it's worth fixing, but I'm not clear on what the safe
AMK> way to create a temp. file *is*. Has anyone written a clear
AMK> guide to the safe way to open tempfiles?
I just poked around the bugtraq list for a minute. Found one
discussion of a tempfile vulnerability:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990106193502.18281.qmail@underground.org
The approach the L0phtCrack folks took was to create tempfiles in a
directory owned by the application where other users couldn't create
symlinks. This is a much better approach that trying to produce
hard-to-guess temp filenames in a shared directory.
-1 on "fixing" the tempfile module
Jeremy