tempfile.mktemp() and symlink attacks
Aahz
aahz at pythoncraft.com
Mon Nov 18 16:04:25 EST 2002
[I'm reposting this because nobody followed up to it. I tried doing
some research because I know there have been changed for Python 2.3, but
I wasn't able to find the relevant posts on python-dev.]
In article <3ygu9.105734$La5.330766 at rwcrnsc52.ops.asp.att.net>,
Kent Hu <kenthu at kenNOSPAMthu.net> wrote:
>Is using tempfile.mktemp() vulnerable to symlink attacks? The reason I ask
>is that the documentation for os.tempnam() and os.tmpnam() has warnings
>about symlink attacks, but the documentation for tempfile.mktemp() does
>not. Also, running os.tempnam() and os.tmpnam() actually brings a
>RuntimeWarning, while I tried comparing the implementations, but couldn't
>find the source for os.tempnam() and os.tmpnam() in os.py (I'm using
>version 2.2.1).
>
>Now, if tempfile.mktemp() is vulnerable, I think the docs should say so.
>And if it's not vulnerable, the docs for os.tempnam() and os.tmpnam()
>should refer readers to tempfile.mktemp() instead of os.tmpfile(), since
>tempfile.mktemp() is more functionally similar.
>
>Kent Hu
>
>
>Relevant links:
>http://www.python.org/doc/current/lib/os-file-dir.html
>http://www.python.org/doc/current/lib/module-tempfile.html
--
Aahz (aahz at pythoncraft.com) <*> http://www.pythoncraft.com/
A: No.
Q: Is top-posting okay?
More information about the Python-list
mailing list