~ubuntu-branches/debian/sid/bandit/sid

« back to all changes in this revision

Viewing changes to docs/temp.md

• browse files at revision 1
• compare with another revision
• download diff
• download tarball
• view history from revision 1

Show diffs side-by-side

added

removed

docs/temp.md

 

1

Predictable temporary path

 

2

=====================

 

3

Creating a temporary file on disk is a common practice, however it has the

 

4

potential to be a source of problems. Naively creating such files using the

 

5

system wide ``/tmp`` folder for example, may result in predictable and

 

6

unprotected file paths. This could allow an attacker to anticipate where

 

7

temporary files will be found and to read or modify them. Manipulation of

 

8

temporary files can result in the ability to control, deny or damage a process

 

9

or system, or gain access to sensitive information. Please see [0] for more

 

10

details.

 

11

 

 

12

### Correct

 

13

```python

 

14

import tempfile

 

15

tmp = tempfile.mkstemp()

 

16

```

 

17

 

 

18

### Incorrect

 

19

```python

 

20

tmp = open('/tmp/my-tmp-file')

 

21

tmp = open(tempfile.mktemp(), "w")

 

22

```

 

23

 

 

24

## Consequences

 

25

* Unintended control of processes or systems

 

26

* Unintended destruction or denial of services

 

27

* Data theft or leakage

 

28

 

 

29

## References

 

30

* [0] https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html

• Older »

Loggerhead is a web-based interface for Breezy
Version: 2.0.1