python-dev

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Python-Dev] Ext4 data loss Zvezdan Petkovic Fri Mar 13 13:00:20 2009 

On Mar 13, 2009, at 2:31 PM, Martin v. Löwis wrote:
Think about the security implications of a file name that is in advance known to an attacker as well as the fact that the said file will replace an *important* system file. 

You should always use O_EXCL in that case. Relying on random name will
be a severe security threat to the application.
If you read an implementation of mkstemp() function, you'll see that it does exactly that: 

        if ((*doopen = open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
                return(1);
        if (errno != EEXIST)
                return(0);

That's why I mentioned mkstemp() in the OP.

        Zvezdan

_______________________________________________
Python-Dev mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/alexiscircle%40gmail.com