This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author obestwalter
Recipients Yusuke Endoh, cheryl.sabella, lukasz.langa, obestwalter, thorleon, vstinner
Date 2019-04-14.12:35:27
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I am not sure if this justifies a new issue so I add this here.

The suffix parameter can also be used for a traversal attack. It is possible to completely clobber anything in dir and prefix (at least on Windows).

e.g. calling mkdtemp or NamedTemporaryFile with these paramers ...


Will result in a directory or file being created at C:/gotcha.

I also wonder if this would justify adding a warning to the documentation for all existing Python versions?

Quoting from the documentation of mkstemp (

> If prefix is specified, the file name will begin with that prefix; otherwise, a default prefix is used.
> If dir is specified, the file will be created in that directory [...]

As both claims are rendered untrue when using suffix in the above described way I think this should be amended.
Date User Action Args
2019-04-14 12:35:27obestwaltersetrecipients: + obestwalter, vstinner, lukasz.langa, cheryl.sabella, Yusuke Endoh, thorleon
2019-04-14 12:35:27obestwaltersetmessageid: <>
2019-04-14 12:35:27obestwalterlinkissue35278 messages
2019-04-14 12:35:27obestwaltercreate