This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author dlukes
Recipients dlukes
Date 2021-03-23.15:41:03
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1616514063.52.0.708008091286.issue43604@roundup.psfhosted.org>
In-reply-to
Content 
> A secure `mktemp` could be as simple as ...

Though in practice, I'd rather be inclined to make the change in `tempfile._RandomNameSequence`, so as to get the same behavior across the entire module, instead of special-casing `mktemp`. As Guido van Rossum points out (see <https://mail.python.org/pipermail/python-dev/2019-March/156746.html>), that would improve the security of all the names generated by the `tempfile` module, not just `mktemp`:

> Hm, the random sequence (implemented in tempfile._RandomNameSequence) is
> currently derived from the random module, which is not cryptographically
> secure. Maybe all we need to do is replace its source of randomness with
> one derived from the secrets module. That seems a one-line change.
History
Date User Action Args
2021-03-23 15:41:03dlukessetrecipients: + dlukes
2021-03-23 15:41:03dlukessetmessageid: <1616514063.52.0.708008091286.issue43604@roundup.psfhosted.org>
2021-03-23 15:41:03dlukeslinkissue43604 messages
2021-03-23 15:41:03dlukescreate