On 2019-03-20 12:45, Victor Stinner wrote:
You can watch the /tmp directory using inotify and "discover" immediately the "secret" filename, it doesn't depend on the amount of entropy used to generate the filename.
That's not the problem. The security issue here is guessing the filename *before* it's created and putting a different file or symlink in place.
So I actually do think that mktemp() could be made secure by using a longer name generated by a secure random generator.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
