[Python-Dev] Extending startup code: PEP needed?
Guido van Rossum
guido@python.org
Mon, 08 Jan 2001 17:23:02 -0500
> I was thinking an attack where knowledge of common temporary
> execution locations is used to trick Python into executing
> untrusted code -- the untrusted code would only have to be
> copied to the known temporary execution directory and then
> gets executed by Python next time the program using the temporary
> location is invoked.
When does Python execute code from a predictable common temporary
location? When is that likely to be used from a Python script running
as root?
Note that if you use tempfile.TemporaryFile(), you can create a
temporary file that's not subvertible.
--Guido van Rossum (home page: http://www.python.org/~guido/)