[Python-Dev] Remove tempfile.mktemp()
Sebastian Rittau
srittau at rittau.biz
Tue Mar 19 12:44:19 EDT 2019
More information about the Python-Dev mailing list
Tue Mar 19 12:44:19 EDT 2019
- Previous message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Next message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am 19.03.19 um 17:23 schrieb Giampaolo Rodola': > @Sebastian >> If there are valid use cases for mktemp(), I recommend renaming >> it to mkname_unsafe() or something equally obvious. > I'm -1 about adding an alias (there should be one and preferably only > one way to do it). Also mkstemp() and mkdtemp() are somewhat poorly > named IMO, but I wouldn't add an alias for them either. > Just to clarify: I was not suggesting creating an alias, I was suggesting renaming the function, but keeping the old name for a normal deprecation cycle. But I had another thought: If I understand correctly, the exploitability of mktemp() relies on the fact that between determining whether the file exists and creation an attacker can create the file themselves. Couldn't this problem be solved by generating a filename of sufficient length using the secrets module? This way the filename should be "unguessable" and safe. - Sebastian
- Previous message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Next message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list