python-dev

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Python-Dev] Ext4 data loss Zvezdan Petkovic Fri Mar 13 08:00:26 2009 


On Mar 12, 2009, at 3:15 PM, Martin v. Löwis wrote:

You still wouldn't use the tempfile module in that case. Instead, you
would create a regular file, with the name base on the name of the
important file.
If the file is *really* important, you actually want to use a temporary, randomly chosen, *unpredictable* name.
Think about the security implications of a file name that is in advance known to an attacker as well as the fact that the said file will replace an *important* system file.
See the details in any man page on mkstemp() and why it was introduced to replace a predictable mktemp(). Also notice that even mktemp() is better then what you proposed above.
Of course, the above are C functions. I don't think that Python programming is immune from such security considerations either. 

        Zvezdan

_______________________________________________
Python-Dev mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/alexiscircle%40gmail.com