[Python-Dev] Concerns about tempfile.mktemp()

[Matt Wilson]

We've been auditing various code lately to check for /tmp races and so
on.  It seems that tempfile.mktemp() is used throughout the Python
library.  While nice and portable, tempfile.mktemp() is vulnerable to
races.

The TemporaryFile does a nice job of handling the filename returned by
mktemp properly, but there are many modules that don't.

Should I attempt to patch them all to use TemporaryFile?  Or set up
conditional use of mkstemp on those systems that support it?

Cheers,

Matt
msw@redhat.com