Author obestwalter
Recipients Yusuke Endoh, cheryl.sabella, lukasz.langa, obestwalter, thorleon, vstinner
Date 2019-04-14.12:35:27
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1555245327.77.0.0742320500359.issue35278@roundup.psfhosted.org>
In-reply-to
Content
I am not sure if this justifies a new issue so I add this here.

The suffix parameter can also be used for a traversal attack. It is possible to completely clobber anything in dir and prefix (at least on Windows).

e.g. calling mkdtemp or NamedTemporaryFile with these paramers ...

dir=r"C:\tmp",
prefix="pre",
suffix="../../../../../../../../../gotcha"

Will result in a directory or file being created at C:/gotcha.

I also wonder if this would justify adding a warning to the documentation for all existing Python versions?

Quoting from the documentation of mkstemp (https://docs.python.org/3/library/tempfile.html#tempfile.mkstemp):

> If prefix is specified, the file name will begin with that prefix; otherwise, a default prefix is used.
>
> If dir is specified, the file will be created in that directory [...]

As both claims are rendered untrue when using suffix in the above described way I think this should be amended.
History
Date User Action Args
2019-04-14 12:35:27obestwaltersetrecipients: + obestwalter, vstinner, lukasz.langa, cheryl.sabella, Yusuke Endoh, thorleon
2019-04-14 12:35:27obestwaltersetmessageid: <1555245327.77.0.0742320500359.issue35278@roundup.psfhosted.org>
2019-04-14 12:35:27obestwalterlinkissue35278 messages
2019-04-14 12:35:27obestwaltercreate