tempfile.mktemp() and symlink attacks
Robin Munn
rmunn at pobox.com
Wed Nov 27 17:07:20 EST 2002
Aahz <aahz at pythoncraft.com> wrote:
> [I'm reposting this because nobody followed up to it. I tried doing
> some research because I know there have been changed for Python 2.3, but
> I wasn't able to find the relevant posts on python-dev.]
>
> In article <3ygu9.105734$La5.330766 at rwcrnsc52.ops.asp.att.net>,
> Kent Hu <kenthu at kenNOSPAMthu.net> wrote:
>>Is using tempfile.mktemp() vulnerable to symlink attacks? The reason I ask
>>is that the documentation for os.tempnam() and os.tmpnam() has warnings
>>about symlink attacks, but the documentation for tempfile.mktemp() does
>>not. Also, running os.tempnam() and os.tmpnam() actually brings a
>>RuntimeWarning, while I tried comparing the implementations, but couldn't
>>find the source for os.tempnam() and os.tmpnam() in os.py (I'm using
>>version 2.2.1).
>>
>>Now, if tempfile.mktemp() is vulnerable, I think the docs should say so.
>>And if it's not vulnerable, the docs for os.tempnam() and os.tmpnam()
>>should refer readers to tempfile.mktemp() instead of os.tmpfile(), since
>>tempfile.mktemp() is more functionally similar.
>>
>>Kent Hu
>>
>>
>>Relevant links:
>>http://www.python.org/doc/current/lib/os-file-dir.html
>>http://www.python.org/doc/current/lib/module-tempfile.html
Strange, I distinctly remember following up to this post some time ago.
*google google google*
Funny, Google doesn't seem to have it.
I'll see if I have a copy of my response lying around anywhere. If not,
I'll try to repost it -- but I'm about to leave on Thanksgiving break
and may be out of touch with the 'Net for a few days; I might not be
able to repost until next Monday.
--
Robin Munn <rmunn at pobox.com>
http://www.rmunn.com/
PGP key ID: 0x6AFB6838 50FF 2478 CFFB 081A 8338 54F7 845D ACFD 6AFB 6838
More information about the Python-list
mailing list