Question on os.tempnam() vulnerability

cameronwong88 at gmail.com cameronwong88 at gmail.com
Sat Jan 5 01:52:57 CET 2008


On Jan 4, 12:09 pm, Fredrik Lundh <fred... at pythonware.com> wrote:
> cameronwon... at gmail.com wrote:
> > Does any one know what kind of security risk these message are
> > suggesting?
>
> >>>> f = os.tempnam()
> > __main__:1: RuntimeWarning: tempnam is a potential security risk to
> > your program
> >>>> f
> > '/tmp/filed4cJNX'
>
> >>>> g = os.tmpnam()
> > __main__:1: RuntimeWarning: tmpnam is a potential security risk to
> > your program
> >>>> g
> > '/tmp/fileENAuNw'
>
> you get a name instead of a file, so someone else can create that file
> after you've called tempnam/tmpnam, but before you've actually gotten
> around to create the file yourself.  which means that anyone on the
> machine might be able to mess with your application's data.
>
> use the functions marked as "safe" in the tempfile module instead.
>
> </F>

Thanks Fredrik, for the clear explanation!!!

~cw



More information about the Python-list mailing list