[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: os.tmpname security risk?
- From: steve donovan <steve.j.donovan@...>
- Date: Sat, 2 Jul 2011 19:20:28 +0200
On Sat, Jul 2, 2011 at 12:29 PM, HyperHacker <hyperhacker@gmail.com> wrote:
> But what stops someone from removing that file and creating their own,
> or changing its permissions? It doesn't seem like this really
> mitigates the risk at all.
As the Monty Python skit goes, 'Sheer luxury!'. os.tmpname() doesn't
even give you a suitable path to a temporary folder on Windows (you
would get something like '\s4n4.'). Not Lua's fault, of course, but
another example of the neglected wasteland known as the Windows C
run-time.
The version I use then is something like os.getenv('TMP')..os.tmpname().
steve d.