[Tutor] Can tempfile.NamedTemporaryFile(delete=False) be used to create *permanent* uniquely named files?

Cameron Simpson cs at cskk.id.au
Tue Oct 23 07:49:52 EDT 2018

On 23Oct2018 11:24, Peter Otten <__peter__ at web.de> wrote:
>Cameron Simpson wrote:
>> The doco for mktemp (do not use! use mkstemp or the 
>> NamedTemporaryFile
>> classes instead!) explicitly mentions using delete=False.
>Well, "permanent temporary file" does sound odd.
>By the way, NamedTemporaryFile returns a proxy instead of the file itself.
>In some rare cases that could be a problem.
>Would mktemp() really be dangerous if you used it like this,
>def new_game(directory):
>    for _retry in range(3):
>        filename = mktemp("game_", ".json", dir=directory)
>        try:
>           return open(filename, "x")
>        except FileExistsError:
>           pass
>    raise FileExistsError
>with the "x" mode?

In terms of a race, maybe not. But in terms of security? Probably.

Consider: the issue with mktemp is that it can be switched out before 
use. So:

Alice: mktemp() -> filename

Mallory: guess filename, put a symlink there pointing at a file which 
doesn't exist, but which has an effect if it does. For example, in 
ancient windows, an autorun.ini file. Or cooler, on UNIX, a file in 

Alice: write to filename, not accidentally _creating_ the target of the 
symlink, now writing a file somewhere unwanted.

Now, the examples above pretend that Alice has root privileges so that 
Mallory affects a root run system. But for Alice, it is just as bad if 
Mallory just subverts her personal account via some other pathname.

Also, there's the issue of privacy: open(), in your example, will use 
the default umask, which may be more open than one wants. And so on...

Cameron Simpson <cs at cskk.id.au>

More information about the Tutor mailing list