[Python-Dev] Ext4 data loss

Zvezdan Petkovic zvezdan at zope.com
Fri Mar 13 20:01:03 CET 2009

On Mar 13, 2009, at 2:31 PM, Martin v. Löwis wrote:

>> Think about the security implications of a file name that is in  
>> advance known to an attacker as well as the fact that the said file  
>> will replace an *important* system file.
> You should always use O_EXCL in that case. Relying on random name will
> be a severe security threat to the application.

If you read an implementation of mkstemp() function, you'll see that  
it does exactly that:

	if ((*doopen = open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
	if (errno != EEXIST)

That's why I mentioned mkstemp() in the OP.


More information about the Python-Dev mailing list