[Python-Dev] Remove tempfile.mktemp()
Jeroen Demeyer
J.Demeyer at UGent.be
Wed Mar 20 07:53:20 EDT 2019
On 2019-03-20 12:45, Victor Stinner wrote:
> You can watch the /tmp directory using inotify and "discover"
> immediately the "secret" filename, it doesn't depend on the amount of
> entropy used to generate the filename.
That's not the problem. The security issue here is guessing the filename
*before* it's created and putting a different file or symlink in place.
So I actually do think that mktemp() could be made secure by using a
longer name generated by a secure random generator.
More information about the Python-Dev
mailing list