[Python-Dev] Some more on the 'tempfile' naming security issue
Guido van Rossum
guido@python.org
Wed, 24 May 2000 09:17:29 -0500
> I agree. But I think we should at least extend the documentation
> of 'tempfile' (Fred?) to guide people not to write Pythoncode like
> mytemp = open(tempfile.mktemp(), "w")
> in programs that are intended to be used on Unix systems by arbitrary
> users (possibly 'root'). Even better: Someone with enough spare time
> should add a new function 'mktempfile()', which creates a temporary
> file and takes care of the security issue and than returns the file
> handle. This implementation must take care of race conditions using
> 'os.open' with the following flags:
>
> O_CREAT If the file does not exist it will be created.
> O_EXCL When used with O_CREAT, if the file already exist
> it is an error and the open will fail.
Have you read a recent (CVS) version of tempfile.py? It has all this
in the class TemporaryFile()!
--Guido van Rossum (home page: http://www.python.org/~guido/)