[Python-Dev] Some more on the 'tempfile' naming security issue

[Tim Peters]

[Peter Funk]
> On <http://www.insecure.org/sploits/gcc.tmpfiles.html> you can find a
> working example which exploits this vulnerability in older versions
> of GCC.
>
> The basic idea is indeed very simple:  Since the /tmp directory is
> writable for any user, the bad guy can create a symbolic link in /tmp
> pointing to some arbitrary file (e.g. to /etc/passwd).  The attacked
> program will than overwrite this arbitrary file (where the programmer
> really wanted to write something to his tempfile instead).  Since this
> will happen with the access permissions of the process running this
> program, this opens a bunch of vulnerabilities in many programs
> writing something into temporary files with predictable file names.

I can understand all that, but does it have anything to do with Python's
tempfile module?  gcc wasn't fixed by changing glibc, right?  Playing games
with the file *names* doesn't appear to me to solve anything; the few posts
I bumped into where that was somehow viewed as a Good Thing were about
Solaris systems, where Sun kept the source for generating the "new,
improved, messy" names secret.  In Python, any attacker can read the code
for anything we do, which it makes it much clearer that a name-game approach
is half-assed.

and-people-whine-about-worming-around-bad-decisions-in-
    windows<wink>-ly y'rs  - tim