[Python-Dev] Warn about mktemp once again?
Toby Dickenson
tdickenson at geminidataloggers.com
Wed May 7 10:40:49 CEST 2008
Tristan Seligmann wrote:
> The correct way to do this is to create a temporary directory, and then
> generate a filename underneath that directory to use.
There is a platform difference here. On unix mktemp will usually provide a
file name in a world-writeable directory (/tmp/) which is wide open to race
condition attacks leading to privilege escalation.
On win32 it will usually (but not always) provide a file name in a directory
writeable only by the current user. The temporary directory step sometimes
seems unnecessary to windows developers.
More information about the Python-Dev
mailing list