Oliver Bestwalter <oli...@bestwalter.de> added the comment:
I am not sure if this justifies a new issue so I add this here. The suffix parameter can also be used for a traversal attack. It is possible to completely clobber anything in dir and prefix (at least on Windows). e.g. calling mkdtemp or NamedTemporaryFile with these paramers ... dir=r"C:\tmp", prefix="pre", suffix="../../../../../../../../../gotcha" Will result in a directory or file being created at C:/gotcha. I also wonder if this would justify adding a warning to the documentation for all existing Python versions? Quoting from the documentation of mkstemp (https://docs.python.org/3/library/tempfile.html#tempfile.mkstemp): > If prefix is specified, the file name will begin with that prefix; otherwise, > a default prefix is used. > > If dir is specified, the file will be created in that directory [...] As both claims are rendered untrue when using suffix in the above described way I think this should be amended. ---------- nosy: +obestwalter _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35278> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com