Am 20.03.19 um 09:47 schrieb Anders Munch:
Greg Ewing:
So use NamedTemporaryFile(delete = False) and close it before passing it to the
other program.
That's effectively the same as calling tempfile.mktemp. While it does waste
time opening and closing an unused file, that doesn't help with security. If
anything, it might worsen security.
That is not actually true. The important difference is that with
NamedTemporaryFile the file exists with appropriate access right (0600).
This denies access of that file to other users. With mktemp() no file is
created, so another user can "hijack" that name and cause programs to
write potentially privileged data into or read manipulated data from
that file.
- Sebastian
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
