[Aahz, quoting an anonymous security report]
> >> >> It is possible, to create a link of the file to be executed
> >> >> (t) in the limited time window between the statements
> >> >> os.path.exists(file) in tempfile.py and execv(t, ('blah',)) in
> >> >> os.py are executed.
[Zack]
> >> That is exactly the signature of one of the tempfile bugs that I
> >> fixed. I do not know whether any official 2.2.x release has yet
> >> occurred that includes the bugfix.
[Aahz]
> > That's what I suspected. Did you check that into the 2.2.x maint
> > branch? (I remember that you did, but I'm triple-checking.)
[Zack]
> I don't have write privileges. I thought that it was checked into the
> 2.2.x maint branch but I don't actually know.
Zack's changes to tempfile.py were *not* checked into Python 2.2 --
they require API changes that are difficult to justify. (The changes
by Zack that you remember being checked into 2.2 were execve.)
A problem with Zack's tempfile changes is that many uses of mktemp are
perfectly safe, and the warning is so annoying that I decided to
disable the warning.
I'm not quite sure what to do now.
--Guido van Rossum (home page: http://www.python.org/~guido/)
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4