summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuido van Rossum <guido@python.org>1998-10-24 01:34:45 (GMT)
committerGuido van Rossum <guido@python.org>1998-10-24 01:34:45 (GMT)
commitdce3d5502e5498615362cd4edd9c81bc0de3036a (patch)
tree3cbf99572d3ffc3e781e22ecc60a509074b77cd0
parent39926e4bbad759fb6bad3945ebc1fe45cf5d7515 (diff)
downloadcpython-dce3d5502e5498615362cd4edd9c81bc0de3036a.zip
cpython-dce3d5502e5498615362cd4edd9c81bc0de3036a.tar.gz
cpython-dce3d5502e5498615362cd4edd9c81bc0de3036a.tar.bz2
The TemporaryFile() function has a security leak -- because the
filenames generated are easily predictable, it is possible to trick an unsuspecting program into overwriting another file by creating a symbolic link with the predicted name. Fix this by using the low-level os.open() function with the O_EXCL flag and mode 0700. On non-Unix platforms, presumably there are no symbolic links so the problem doesn't exist. The explicit test for Unix (posix, actually) makes it possible to change the non-Unix logic to work without a try-except clause. The mktemp() file is as unsafe as ever.
-rw-r--r--Lib/tempfile.py11
1 files changed, 6 insertions, 5 deletions
diff --git a/Lib/tempfile.py b/Lib/tempfile.py
index 6a2730a..140eebc 100644
--- a/Lib/tempfile.py
+++ b/Lib/tempfile.py
@@ -126,11 +126,12 @@ class TemporaryFileWrapper:
def TemporaryFile(mode='w+b', bufsize=-1, suffix=""):
name = mktemp(suffix)
- file = open(name, mode, bufsize)
- try:
+ if os.name == 'posix':
+ # Unix -- be very careful
+ fd = os.open(name, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0700)
os.unlink(name)
- except os.error:
+ return os.fdopen(fd, mode, bufsize)
+ else:
# Non-unix -- can't unlink file that's still open, use wrapper
+ file = open(name, mode, bufsize)
return TemporaryFileWrapper(file, name)
- else:
- return file