Author epaine
Recipients epaine
Date 2020-11-06.14:57:51
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1604674672.14.0.368213492276.issue42278@roundup.psfhosted.org>
In-reply-to
Content
Currently, there are many uses of `tempfile.mktemp` in the stdlib. I couldn't find an issue where this has already been discussed, but I think the usage of mktemp in the stdlib should be completely reviewed. I grepped the Lib and a slightly filtered version is the following:

Lib/asyncio/windows_utils.py:34: address = tempfile.mktemp(
Lib/distutils/command/bdist_wininst.py:185: archive_basename = mktemp()
Lib/distutils/util.py:386: (script_fd, script_name) = None, mktemp(".py")
Lib/msilib/__init__.py:214: filename = mktemp()
Lib/multiprocessing/connection.py:81: return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
Lib/multiprocessing/connection.py:83: return tempfile.mktemp(prefix=r'\.\pipe\pyc-%d-%d-' %
Lib/pydoc.py:1620: filename = tempfile.mktemp()
Lib/test/bisect_cmd.py:75: tmp = tempfile.mktemp()
Lib/test/test_bytes.py:1193: tfn = tempfile.mktemp()
Lib/test/test_contextlib.py:316: tfn = tempfile.mktemp()
Lib/test/test_doctest.py:2724: >>> fn = tempfile.mktemp()
Lib/test/test_doctest.py:2734: >>> fn = tempfile.mktemp()
Lib/test/test_doctest.py:2744: >>> fn = tempfile.mktemp()
Lib/test/test_faulthandler.py:51: filename = tempfile.mktemp()
Lib/test/test_shutil.py:1624: filename = tempfile.mktemp(dir=dirname)
Lib/test/test_shutil.py:1935: dst_dir = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/test_shutil.py:2309: name = tempfile.mktemp(dir=os.getcwd())
Lib/test/test_shutil.py:272: filename = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/test_shutil.py:677: dst = tempfile.mktemp(dir=self.mkdtemp())
Lib/test/test_socket.py:699: path = tempfile.mktemp(dir=self.dir_path)
Lib/test/test_socketserver.py:100: fn = tempfile.mktemp(prefix='unix_socket.', dir=dir)

I am hoping this issue will be spotted as I couldn't find who to add to the nosy for this. I think, bearing in mind that use of this method is a security issue, we should reduce this number as low as feasible (though, I am sure that a number of those will have good reasons for using mktemp, and will be doing so in a safe way).
History
Date User Action Args
2020-11-06 14:57:52epainesetrecipients: + epaine
2020-11-06 14:57:52epainesetmessageid: <1604674672.14.0.368213492276.issue42278@roundup.psfhosted.org>
2020-11-06 14:57:52epainelinkissue42278 messages
2020-11-06 14:57:51epainecreate