[Python-Dev] Remove tempfile.mktemp()
Anders Munch
ajm at flonidan.dk
Wed Mar 20 05:53:13 EDT 2019
Anders Munch:
>>> So use NamedTemporaryFile(delete = False) and close it before passing it to the other program.
>> That's effectively the same as calling tempfile.mktemp. While it does waste time opening and closing an unused file, that doesn't help with security
Sebastian Rittau:
> That is not actually true. The important difference is that with NamedTemporaryFile the file exists with appropriate access right (0600).
You are right, I must have mentally reversed the polarity of the delete argument. And I didn't realise that the access right on a file had the power to prevent itself from being removed from the folder that it's in. I thought the access flags were a property of the file itself and not the directory entry. Not sure how that works.
But if NamedTemporaryFile(delete=False) is secure then why not use that to implement mktemp?
def mktemp(suffix="", prefix=template, dir=None):
with NamedTemporaryFile(delete=False, suffix=suffix, prefix=prefix, dir=dir) as f:
return f.name
Yes, it does leave an empty file if the name is not used, but the name is usually created with the intent to use it, so that is rarely going to be a problem. Just document that that's how it is. It does mean that where there's an explicit file-exists check before writing the file, that code will break. But it will break a lot less code than removing mktemp entirely.
regards, Anders
More information about the Python-Dev
mailing list