Author epaine
Recipients epaine
Date 2020-11-06.14:57:51
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Currently, there are many uses of `tempfile.mktemp` in the stdlib. I couldn't find an issue where this has already been discussed, but I think the usage of mktemp in the stdlib should be completely reviewed. I grepped the Lib and a slightly filtered version is the following:

Lib/asyncio/ address = tempfile.mktemp(
Lib/distutils/command/ archive_basename = mktemp()
Lib/distutils/ (script_fd, script_name) = None, mktemp(".py")
Lib/msilib/ filename = mktemp()
Lib/multiprocessing/ return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
Lib/multiprocessing/ return tempfile.mktemp(prefix=r'\.\pipe\pyc-%d-%d-' %
Lib/ filename = tempfile.mktemp()
Lib/test/ tmp = tempfile.mktemp()
Lib/test/ tfn = tempfile.mktemp()
Lib/test/ tfn = tempfile.mktemp()
Lib/test/ >>> fn = tempfile.mktemp()
Lib/test/ >>> fn = tempfile.mktemp()
Lib/test/ >>> fn = tempfile.mktemp()
Lib/test/ filename = tempfile.mktemp()
Lib/test/ filename = tempfile.mktemp(dir=dirname)
Lib/test/ dst_dir = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/ name = tempfile.mktemp(dir=os.getcwd())
Lib/test/ filename = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/ dst = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/ path = tempfile.mktemp(dir=self.dir_path)
Lib/test/ fn = tempfile.mktemp(prefix='unix_socket.', dir=dir)

I am hoping this issue will be spotted as I couldn't find who to add to the nosy for this. I think, bearing in mind that use of this method is a security issue, we should reduce this number as low as feasible (though, I am sure that a number of those will have good reasons for using mktemp, and will be doing so in a safe way).
Date User Action Args
2020-11-06 14:57:52epainesetrecipients: + epaine
2020-11-06 14:57:52epainesetmessageid: <>
2020-11-06 14:57:52epainelinkissue42278 messages
2020-11-06 14:57:51epainecreate