[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: os.tmpname security risk?
- From: "Dimiter \"malkia\" Stanev" <malkia@...>
- Date: Sat, 02 Jul 2011 19:06:24 -0700
On 7/2/11 10:20 AM, steve donovan wrote:
On Sat, Jul 2, 2011 at 12:29 PM, HyperHacker<firstname.lastname@example.org> wrote:
But what stops someone from removing that file and creating their own,
or changing its permissions? It doesn't seem like this really
mitigates the risk at all.
As the Monty Python skit goes, 'Sheer luxury!'. os.tmpname() doesn't
even give you a suitable path to a temporary folder on Windows (you
would get something like '\s4n4.'). Not Lua's fault, of course, but
another example of the neglected wasteland known as the Windows C
The version I use then is something like os.getenv('TMP')..os.tmpname().
Sometimes temporary files have to be in the same directory, so later
rename is atomic (not that it's always atomic, but close enough).
Same directory as this would mean same file system, or file drive.
(Otherwise the system would have to copy the file?)