[Patches] [ python-Patches-589982 ] tempfile.py rewrite
noreply@sourceforge.net
noreply@sourceforge.net
Fri, 02 Aug 2002 23:53:59 -0700
Patches item #589982, was opened at 2002-08-01 23:38
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=589982&group_id=5470
Category: Modules
Group: Python 2.3
Status: Open
Resolution: None
Priority: 5
Submitted By: Zack Weinberg (zackw)
Assigned to: Nobody/Anonymous (nobody)
Summary: tempfile.py rewrite
Initial Comment:
This rewrite closes a number of security-relevant races
in tempfile.py; makes temporary filenames much harder
to guess; provides secure interfaces that can be used
to close similar races elsewhere; and makes it possible
to control the prefix and directory of each temporary
created, individually.
----------------------------------------------------------------------
>Comment By: Zack Weinberg (zackw)
Date: 2002-08-02 23:53
Message:
Logged In: YES
user_id=580015
I've revised the patch; ignore the old one. This version
includes a vastly expanded test_tempfile.py which hits every
line that I know how to test. The omissions are marked -
it's mostly non-Unix issues.
Also, I went through the entire CVS repository and replaced
all uses of tempfile.mktemp with
mkstemp/mkdtemp/NamedTemporaryFile,
as appropriate. The sole exception is Lib/os.py, which is
addressed by patch #590294.
The sole functional change to tempfile.py itself, from the
previous, is to throw os.O_NOFOLLOW into the open flags.
This closes yet another hole - on some systems, without this
flag, open(file, O_CREAT|O_EXCL) will follow a symbolic link
that points to a nonexistent file, and create the link
target. (This has no effect on a symlink in the directory
components of the pathname - if the sysadmin has symlinked
/tmp to /hugedisk/scratch, that still works.)
----------------------------------------------------------------------
Comment By: Guido van Rossum (gvanrossum)
Date: 2002-08-02 07:45
Message:
Logged In: YES
user_id=6380
This needs some serious review!
Volunteers???
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=589982&group_id=5470