Question on os.tempnam() vulnerability
Jarek Zgoda
jzgoda at o2.usun.pl
Sat Jan 5 06:41:54 EST 2008
Grant Edwards pisze:
>> you get a name instead of a file, so someone else can create that file
>> after you've called tempnam/tmpnam, but before you've actually gotten
>> around to create the file yourself. which means that anyone on the
>> machine might be able to mess with your application's data.
>>
>> use the functions marked as "safe" in the tempfile module instead.
>
> Under Windows, is there a "safe" way to create a temp file that
> has a name that can be passed to a program which will then open
> it? I never figured out a way to do that and had to fall back
> on the "unsafe" tmpnam method.
I think it's all impossible to get only file name and feel safe. You
have to have both file name and a file object opened exclusively for
you. Any other way you'll get a possible race condition.
--
Jarek Zgoda
http://zgodowie.org/
More information about the Python-list
mailing list