[Python-Dev] Is the tempfile module really a security risk?

Tim Peters tim_one@email.msn.com
Mon, 22 May 2000 02:59:16 -0400

> Every few months I receive patches that purport to make the tempfile
> module more secure.  I've never felt that it is a problem.  What is
> with these people?

Doing a google search on

    tempfile security

turns up hundreds of rants.  Have fun <wink>.  There does appear to be a
real vulnerability here somewhere (not necessarily Python), but the closest
I found to a clear explanation in 10 minutes was an annoyed paragraph,
saying that if I didn't already understand the problem I should turn in my
Unix Security Expert badge immediately.  Unfortunately, Bill Gates never
issued one of those to me.

> ...
> Is the "random-tempfile" patch that the poster below suggested worth
> applying?

Certainly not the patch he posted!  And for reasons I sketched in my
patches-list commentary, I doubt any hack based on pseudo-random numbers
*can* solve anything.

assuming-there's-indeed-something-in-need-of-solving-ly y'rs  - tim