[Python-Dev] Extending startup code: PEP needed?

[Guido van Rossum]

> I was thinking an attack where knowledge of common temporary
> execution locations is used to trick Python into executing
> untrusted code -- the untrusted code would only have to be
> copied to the known temporary execution directory and then
> gets executed by Python next time the program using the temporary
> location is invoked.

When does Python execute code from a predictable common temporary
location?  When is that likely to be used from a Python script running
as root?

Note that if you use tempfile.TemporaryFile(), you can create a
temporary file that's not subvertible.

--Guido van Rossum (home page: http://www.python.org/~guido/)