[Python-Dev] Ext4 data loss
Andrew McNabb
amcnabb at mcnabbs.org
Fri Mar 13 19:42:30 CET 2009
On Fri, Mar 13, 2009 at 07:31:21PM +0100, "Martin v. Löwis" wrote:
> > Think about the security implications of a file name that is in advance
> > known to an attacker as well as the fact that the said file will replace
> > an *important* system file.
>
> You should always use O_EXCL in that case. Relying on random name will
> be a severe security threat to the application.
But mkstemp does open files with O_EXCL, so the two approaches really
aren't that different. Using tempfile can be a little simpler because
it will eventually succeed.
--
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868
More information about the Python-Dev
mailing list