osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] Remove tempfile.mktemp()


On 2019-03-20 12:45, Victor Stinner wrote:
> You can watch the /tmp directory using inotify and "discover"
> immediately the "secret" filename, it doesn't depend on the amount of
> entropy used to generate the filename.

That's not the problem. The security issue here is guessing the filename 
*before* it's created and putting a different file or symlink in place.

So I actually do think that mktemp() could be made secure by using a 
longer name generated by a secure random generator.