[Python-Dev] Remove tempfile.mktemp() (original) (raw)
Jeroen Demeyer J.Demeyer at UGent.be
Wed Mar 20 07:53:20 EDT 2019
- Previous message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Next message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2019-03-20 12:45, Victor Stinner wrote:
You can watch the /tmp directory using inotify and "discover" immediately the "secret" filename, it doesn't depend on the amount of entropy used to generate the filename.
That's not the problem. The security issue here is guessing the filename before it's created and putting a different file or symlink in place.
So I actually do think that mktemp() could be made secure by using a longer name generated by a secure random generator.
- Previous message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Next message (by thread): [Python-Dev] Remove tempfile.mktemp()
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]