[Python-Dev] Ext4 data loss

Andrew McNabb amcnabb at mcnabbs.org
Fri Mar 13 19:42:30 CET 2009

On Fri, Mar 13, 2009 at 07:31:21PM +0100, "Martin v. Löwis" wrote:
> > Think about the security implications of a file name that is in advance
> > known to an attacker as well as the fact that the said file will replace
> > an *important* system file.
> You should always use O_EXCL in that case. Relying on random name will
> be a severe security threat to the application.

But mkstemp does open files with O_EXCL, so the two approaches really
aren't that different.  Using tempfile can be a little simpler because
it will eventually succeed.

Andrew McNabb
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868

More information about the Python-Dev mailing list