[Python-Dev] Warn about mktemp once again?
Guido van Rossum
guido at python.org
Tue May 6 19:16:10 CEST 2008
On Tue, May 6, 2008 at 4:19 AM, Tristan Seligmann
<mithrandi-python-dev at mithrandi.za.net> wrote:
> * Antoine Pitrou <solipsis at pitrou.net> [2008-05-06 10:47:23 +0000]:
> > Sorry to revive this thread, but mktemp() is very useful when the file is meant
> > to be created by another application (e.g. launched by subprocess, but it could
> > even be a daemon running under a different user). For example if I have a
> > processing chain to converts a PDF to a temporary JPEG using an external tool
> > and then does other things with the JPEG: I don't want Python to actually
> > create the file, just to generate an unique filename.
>
> The correct way to do this is to create a temporary directory, and then
> generate a filename underneath that directory to use.
Good catch. The problem with mktemp() is exactly its convenience,
which opens it up for well-documented symlink attacks.
--
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-Dev
mailing list