[Python-Dev] Some more on the 'tempfile' naming security issue

Guido van Rossum guido@python.org
Wed, 24 May 2000 09:17:29 -0500

> I agree.  But I think we should at least extend the documentation
> of 'tempfile' (Fred?) to guide people not to write Pythoncode like
> 	mytemp = open(tempfile.mktemp(), "w")
> in programs that are intended to be used on Unix systems by arbitrary
> users (possibly 'root').  Even better:  Someone with enough spare time 
> should add a new function 'mktempfile()', which creates a temporary 
> file and takes care of the security issue and than returns the file 
> handle.  This implementation must take care of race conditions using
> 'os.open' with the following flags:
>        O_CREAT If the file does not exist it will be created.
>        O_EXCL  When used with O_CREAT, if the file already  exist
> 	       it is  an error and the open will fail. 

Have you read a recent (CVS) version of tempfile.py?  It has all this
in the class TemporaryFile()!

--Guido van Rossum (home page: http://www.python.org/~guido/)