[Python-Dev] Ext4 data loss
Zvezdan Petkovic
zvezdan at zope.com
Fri Mar 13 20:01:03 CET 2009
On Mar 13, 2009, at 2:31 PM, Martin v. Löwis wrote:
>> Think about the security implications of a file name that is in
>> advance known to an attacker as well as the fact that the said file
>> will replace an *important* system file.
>
> You should always use O_EXCL in that case. Relying on random name will
> be a severe security threat to the application.
If you read an implementation of mkstemp() function, you'll see that
it does exactly that:
if ((*doopen = open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
return(1);
if (errno != EEXIST)
return(0);
That's why I mentioned mkstemp() in the OP.
Zvezdan
More information about the Python-Dev
mailing list