[Python-Dev] Is the tempfile module really a security risk?
Tim Peters
tim_one@email.msn.com
Mon, 22 May 2000 02:59:16 -0400
[Guido]
> Every few months I receive patches that purport to make the tempfile
> module more secure. I've never felt that it is a problem. What is
> with these people?
Doing a google search on
tempfile security
turns up hundreds of rants. Have fun <wink>. There does appear to be a
real vulnerability here somewhere (not necessarily Python), but the closest
I found to a clear explanation in 10 minutes was an annoyed paragraph,
saying that if I didn't already understand the problem I should turn in my
Unix Security Expert badge immediately. Unfortunately, Bill Gates never
issued one of those to me.
> ...
> Is the "random-tempfile" patch that the poster below suggested worth
> applying?
Certainly not the patch he posted! And for reasons I sketched in my
patches-list commentary, I doubt any hack based on pseudo-random numbers
*can* solve anything.
assuming-there's-indeed-something-in-need-of-solving-ly y'rs - tim