The TemporaryFile() function has a security leak -- because the

filenames generated are easily predictable, it is possible to trick an unsuspecting program into overwriting another file by creating a symbolic link with the predicted name. Fix this by using the low-level os.open() function with the O_EXCL flag and mode 0700. On non-Unix platforms, presumably there are no symbolic links so the problem doesn't exist. The explicit test for Unix (posix, actually) makes it possible to change the non-Unix logic to work without a try-except clause. The mktemp() file is as unsafe as ever.
1998-10-24 01:34:45 +00:00 · 1998-10-24 01:34:45 +00:00 · dce3d5502e
parent 39926e4bba
commit dce3d5502e
1 changed files with 7 additions and 6 deletions
--- a/Lib/tempfile.py
+++ b/Lib/tempfile.py
@ -126,11 +126,12 @@ class TemporaryFileWrapper:

 def TemporaryFile(mode='w+b', bufsize=-1, suffix=""):
    name = mktemp(suffix)
-    file = open(name, mode, bufsize)
-    try:
+    if os.name == 'posix':
+        # Unix -- be very careful
+        fd = os.open(name, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0700)
        os.unlink(name)
-    except os.error:
-        # Non-unix -- can't unlink file that's still open, use wrapper
-        return TemporaryFileWrapper(file, name)
+        return os.fdopen(fd, mode, bufsize)
    else:
-        return file
+        # Non-unix -- can't unlink file that's still open, use wrapper
+        file = open(name, mode, bufsize)
+        return TemporaryFileWrapper(file, name)