Question on os.tempnam() vulnerability
Grant Edwards
grante at visi.com
Sat Jan 5 12:28:34 EST 2008
On 2008-01-05, Fredrik Lundh <fredrik at pythonware.com> wrote:
> Grant Edwards wrote:
>
>>> IOW, it's the same approach as on Unix.
>>
>> Not really. Under Unix you can safely create a temp file with
>> a name that can be used to open the file.
>
> Unless I'm missing something, it's not possible to do this in a safe
> way in the shared temp directory; you can do that only by creating a
> file in a directory that's under full control of your user.
Which is what I do.
> And *that* approach works on Windows as well, of course.
I was asking how to create a named temporary file under Windows
without a race condition. I've re-read the tempfile module
documentation a couple more times, and it finally dawned on me
that I'd been misreading the following statement about
tempfiles created by NamedTemporaryFile/mkstemp:
"Whether the name can be used to open the file a second time,
while the named temporary file is still open, varies across
platforms (it can be so used on Unix; it cannot on Windows NT
or later)."
I don't know how many times I've read that and missed the
phrase "while the named temporary file is still open". I had
always read that as saying that the tempfile couldn't be opened
a second time under Windows. I know, that would make the
availability of the path/name a moot point, but so many things
under Windows don't make sense to me that I just let it slide.
As Emily Litella used to say:
"Oh. That's very different. Never mind."
--
Grant Edwards grante Yow! It's hard being
at an ARTIST!!
visi.com
More information about the Python-list
mailing list