tags:

views:

137

answers:

2
+1  Q: 

How insecure is / replacement for tmpnam?

I considered using tmpnam to set the output file name of a QPrinter. But the Python documentation recommends against using it.

os.tmpnam()

Return a unique path name that is reasonable for creating a temporary file. ... Applications are responsible for properly creating and managing files created using paths returned by tmpnam(); no automatic cleanup is provided.

Warning

Use of tmpnam() is vulnerable to symlink attacks; consider using tmpfile() (section File Object Creation) instead.

Windows: Microsoft’s implementation of tmpnam() always creates a name in the root directory of the current drive, and that’s generally a poor location for a temp file (depending on privileges, you may not even be able to open a file using this name).

  • Is this really insecure if my application doesn't need any special privileges?
  • What are secure alternatives considering that I can only set a path as the output file name of the QPrinter?
+6  A: 

Please read http://docs.python.org/library/tempfile.html

Use that instead.

S.Lott  2009-11-05 11:10:37
http://docs.python.org/library/tempfile.html#tempfile.mkstemp in particular
NicDumZ  2009-11-05 11:25:57
Thanks. I don't suppose this creates a big security risk if I get a name using `NamedTemporaryFile` and supply it to `QPrinter`.
Georg  2009-11-05 12:41:20
I'm not sure what you're supposing. `tempfile` has the most secure temporary files. It doesn't really require a supposition; that's what the claim is. Is there some further question? Some clarification you need?
S.Lott  2009-11-05 13:14:04
A: 

Depending on how your QPrinter deals with a file that already exists, you could use QTemporaryFile to create a file, then close the file and keep the reference to the QTemporaryFile object around until you are done with it. (This will also clean up the file for you when you destroy the object.)

Caleb Huitt - cjhuitt  2009-11-05 17:59:30

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security