diff options
| author | Guido van Rossum <guido@python.org> | 1998-10-24 01:34:45 +0000 |
|---|---|---|
| committer | Guido van Rossum <guido@python.org> | 1998-10-24 01:34:45 +0000 |
| commit | 309f1b7d98358b92e1b4b834102bba3beed28472 (patch) | |
| tree | bd88e125077b7ada735b182730dec5b8dea1ecc8 /Lib/tempfile.py | |
| parent | 4afaa29480bc58948fb3704420d550af49589f95 (diff) | |
| download | cpython-309f1b7d98358b92e1b4b834102bba3beed28472.tar.gz | |
The TemporaryFile() function has a security leak -- because the
filenames generated are easily predictable, it is possible to trick an
unsuspecting program into overwriting another file by creating a
symbolic link with the predicted name. Fix this by using the
low-level os.open() function with the O_EXCL flag and mode 0700. On
non-Unix platforms, presumably there are no symbolic links so the
problem doesn't exist. The explicit test for Unix (posix, actually)
makes it possible to change the non-Unix logic to work without a
try-except clause.
The mktemp() file is as unsafe as ever.
Diffstat (limited to 'Lib/tempfile.py')
| -rw-r--r-- | Lib/tempfile.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/Lib/tempfile.py b/Lib/tempfile.py index 6a2730a892..140eebccf9 100644 --- a/Lib/tempfile.py +++ b/Lib/tempfile.py @@ -126,11 +126,12 @@ class TemporaryFileWrapper: def TemporaryFile(mode='w+b', bufsize=-1, suffix=""): name = mktemp(suffix) - file = open(name, mode, bufsize) - try: + if os.name == 'posix': + # Unix -- be very careful + fd = os.open(name, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0700) os.unlink(name) - except os.error: + return os.fdopen(fd, mode, bufsize) + else: # Non-unix -- can't unlink file that's still open, use wrapper + file = open(name, mode, bufsize) return TemporaryFileWrapper(file, name) - else: - return file |