tempfile.mktemp() and symlink attacks
Yannick Gingras
ygingras at eclipsys.qc.ca
Fri Nov 29 17:28:10 EST 2002
Robin Munn wrote:
>>>Is using tempfile.mktemp() vulnerable to symlink attacks? The reason I
>>>ask is that the documentation for os.tempnam() and os.tmpnam() has
>>>warnings about symlink attacks, but the documentation for
>>>tempfile.mktemp() does
>>>not. Also, running os.tempnam() and os.tmpnam() actually brings a
>>>RuntimeWarning, while I tried comparing the implementations, but couldn't
>>>find the source for os.tempnam() and os.tmpnam() in os.py (I'm using
>>>version 2.2.1).
I was about to post to report the vulnerability.
tempfile.mktemp() is REALLY vulnerable to symlink attacks.
The default behaviour of tempfile.mktemp() is to return
something close to
"%s" % ( os.path.join( os.environ['TEMPDIR'],
"@%d.%d" % (os.getpid(), num_mktemp_call) ) )
hummm... not as readable as I expected. Supose a process with
pid 2344 with the environement variable TEMPDIR set to /tmp
call tempfile.mktemp() 3 time, it will receive :
/tmp/@2344.0
/tmp/@2344.1
/tmp/@2344.2
the file names are easy to guess and I don't know a way to
make file() fail if the file already exists.
tempfile.mktemp() will not return a filename already present
on the system but by the time you open it, a symlink may have
been set.
There is an optional argument to tempfile.mktemp() that can
help you make the filename harder to guess but you still
can't tell if the file have been created by the time you open
it.
ex. :
rnd = Random(time.time())
filename = tempfile.mktemp("%d%d%d" % ( rnd.randrange(100000),
rnd.randrange(100000),
rnd.randrange(100000) ))
In this form, the filename will be appended a large number of
random digits. But still, the attacker may understand the
pattern and do an infinit number of retry until he guess the
right filename ans you have (as far as I know) no way to
detect if file() create the file or if it open an existing
file.
--
Yannick Gingras
Coder for OBB : Oratorical Boyish Bozeman
http://OpenBeatBox.org
More information about the Python-list
mailing list