Question on os.tempnam() vulnerability
cameronwong88 at gmail.com
cameronwong88 at gmail.com
Fri Jan 4 19:52:57 EST 2008
On Jan 4, 12:09 pm, Fredrik Lundh <fred... at pythonware.com> wrote:
> cameronwon... at gmail.com wrote:
> > Does any one know what kind of security risk these message are
> > suggesting?
>
> >>>> f = os.tempnam()
> > __main__:1: RuntimeWarning: tempnam is a potential security risk to
> > your program
> >>>> f
> > '/tmp/filed4cJNX'
>
> >>>> g = os.tmpnam()
> > __main__:1: RuntimeWarning: tmpnam is a potential security risk to
> > your program
> >>>> g
> > '/tmp/fileENAuNw'
>
> you get a name instead of a file, so someone else can create that file
> after you've called tempnam/tmpnam, but before you've actually gotten
> around to create the file yourself. which means that anyone on the
> machine might be able to mess with your application's data.
>
> use the functions marked as "safe" in the tempfile module instead.
>
> </F>
Thanks Fredrik, for the clear explanation!!!
~cw
More information about the Python-list
mailing list