Question on os.tempnam() vulnerability
Fredrik Lundh
fredrik at pythonware.com
Fri Jan 4 15:09:49 EST 2008
cameronwong88 at gmail.com wrote:
> Does any one know what kind of security risk these message are
> suggesting?
>
>>>> f = os.tempnam()
> __main__:1: RuntimeWarning: tempnam is a potential security risk to
> your program
>>>> f
> '/tmp/filed4cJNX'
>
>>>> g = os.tmpnam()
> __main__:1: RuntimeWarning: tmpnam is a potential security risk to
> your program
>>>> g
> '/tmp/fileENAuNw'
you get a name instead of a file, so someone else can create that file
after you've called tempnam/tmpnam, but before you've actually gotten
around to create the file yourself. which means that anyone on the
machine might be able to mess with your application's data.
use the functions marked as "safe" in the tempfile module instead.
</F>
More information about the Python-list
mailing list