[Python-Dev] Concerns about tempfile.mktemp()

[Guido van Rossum]

> We've been auditing various code lately to check for /tmp races and so
> on.  It seems that tempfile.mktemp() is used throughout the Python
> library.  While nice and portable, tempfile.mktemp() is vulnerable to
> races.
> 
> The TemporaryFile does a nice job of handling the filename returned by
> mktemp properly, but there are many modules that don't.
> 
> Should I attempt to patch them all to use TemporaryFile?  Or set up
> conditional use of mkstemp on those systems that support it?

Matt, please be sure to look at the 2.1 CVS tree.  I believe that
we've implemented some changes that may make mktemp() better behaved.

If you find that this is still not good enough, please feel free to
submit a patch to SourceForge that fixes the uses of mktemp() --
insofar possible.  (I know e.g. the test suite has some places where
mktemp() is used as the name of a dbm file.)

Thanks for looking into this!

--Guido van Rossum (home page: http://www.python.org/~guido/)