python-dev

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Python-Dev] Ext4 data loss Andrew McNabb Fri Mar 13 13:00:22 2009 

On Fri, Mar 13, 2009 at 07:31:21PM +0100, "Martin v. Löwis" wrote:
> > Think about the security implications of a file name that is in advance
> > known to an attacker as well as the fact that the said file will replace
> > an *important* system file.
> 
> You should always use O_EXCL in that case. Relying on random name will
> be a severe security threat to the application.

But mkstemp does open files with O_EXCL, so the two approaches really
aren't that different.  Using tempfile can be a little simpler because
it will eventually succeed.

-- 
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55  8012 AB4D 6098 8826 6868
_______________________________________________
Python-Dev mailing list
[EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/alexiscircle%40gmail.com