New submission from E. Paine <paineeli...@gmail.com>:
Currently, there are many uses of `tempfile.mktemp` in the stdlib. I couldn't find an issue where this has already been discussed, but I think the usage of mktemp in the stdlib should be completely reviewed. I grepped the Lib and a slightly filtered version is the following: Lib/asyncio/windows_utils.py:34: address = tempfile.mktemp( Lib/distutils/command/bdist_wininst.py:185: archive_basename = mktemp() Lib/distutils/util.py:386: (script_fd, script_name) = None, mktemp(".py") Lib/msilib/__init__.py:214: filename = mktemp() Lib/multiprocessing/connection.py:81: return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir()) Lib/multiprocessing/connection.py:83: return tempfile.mktemp(prefix=r'\.\pipe\pyc-%d-%d-' % Lib/pydoc.py:1620: filename = tempfile.mktemp() Lib/test/bisect_cmd.py:75: tmp = tempfile.mktemp() Lib/test/test_bytes.py:1193: tfn = tempfile.mktemp() Lib/test/test_contextlib.py:316: tfn = tempfile.mktemp() Lib/test/test_doctest.py:2724: >>> fn = tempfile.mktemp() Lib/test/test_doctest.py:2734: >>> fn = tempfile.mktemp() Lib/test/test_doctest.py:2744: >>> fn = tempfile.mktemp() Lib/test/test_faulthandler.py:51: filename = tempfile.mktemp() Lib/test/test_shutil.py:1624: filename = tempfile.mktemp(dir=dirname) Lib/test/test_shutil.py:1935: dst_dir = tempfile.mktemp(dir=self.mkdtemp()) Lib/test/test_shutil.py:2309: name = tempfile.mktemp(dir=os.getcwd()) Lib/test/test_shutil.py:272: filename = tempfile.mktemp(dir=self.mkdtemp()) Lib/test/test_shutil.py:677: dst = tempfile.mktemp(dir=self.mkdtemp()) Lib/test/test_socket.py:699: path = tempfile.mktemp(dir=self.dir_path) Lib/test/test_socketserver.py:100: fn = tempfile.mktemp(prefix='unix_socket.', dir=dir) I am hoping this issue will be spotted as I couldn't find who to add to the nosy for this. I think, bearing in mind that use of this method is a security issue, we should reduce this number as low as feasible (though, I am sure that a number of those will have good reasons for using mktemp, and will be doing so in a safe way). ---------- components: Library (Lib) messages: 380450 nosy: epaine priority: normal severity: normal status: open title: Remove usage of tempfile.mktemp in stdlib type: security versions: Python 3.10, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42278> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com