[Python-Dev] Remove tempfile.mktemp() (original) (raw)

Jeroen Demeyer J.Demeyer at UGent.be
Wed Mar 20 07:53:20 EDT 2019


On 2019-03-20 12:45, Victor Stinner wrote:

You can watch the /tmp directory using inotify and "discover" immediately the "secret" filename, it doesn't depend on the amount of entropy used to generate the filename.

That's not the problem. The security issue here is guessing the filename before it's created and putting a different file or symlink in place.

So I actually do think that mktemp() could be made secure by using a longer name generated by a secure random generator.



More information about the Python-Dev mailing list