[Python-Dev] Warn about mktemp once again?
"Martin v. Löwis"
martin at v.loewis.de
Wed May 7 08:29:28 CEST 2008
> Sorry to revive this thread, but mktemp() is very useful when the file is meant
> to be created by another application (e.g. launched by subprocess, but it could
> even be a daemon running under a different user). For example if I have a
> processing chain to converts a PDF to a temporary JPEG using an external tool
> and then does other things with the JPEG: I don't want Python to actually
> create the file, just to generate an unique filename.
Are you (or are you not) aware that this strategy allows for malicious
code to provide you with a fake JPEG file? If so, does it not concern
you?
As others have said: the reason the function is deprecated is that it
is easy to run into security problems while using it, and users are
often unaware of the security implications. Of course, for many
applications, there is no real threat, and any risk might be acceptable.
Unfortunately, if a security catastrophe results from the function,
blame is (correctly) also upon Python for providing the function in
the first place.
Regards,
Martin
More information about the Python-Dev
mailing list