[Python-Dev] Remove tempfile.mktemp()

Jeroen Demeyer J.Demeyer at UGent.be
Wed Mar 20 07:53:20 EDT 2019

On 2019-03-20 12:45, Victor Stinner wrote:
> You can watch the /tmp directory using inotify and "discover"
> immediately the "secret" filename, it doesn't depend on the amount of
> entropy used to generate the filename.

That's not the problem. The security issue here is guessing the filename 
*before* it's created and putting a different file or symlink in place.

So I actually do think that mktemp() could be made secure by using a 
longer name generated by a secure random generator.

More information about the Python-Dev mailing list