InsecureTemporaryFile.qhelp

<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>

<overview>
<p>
Creating a new temporary file using the <code>mktemp</code> function in the
<code>tempfile</code> does not ensure exclusive access to the file, as it simply
returns a filename that is guaranteed to be unique at the point when
<code>mktemp</code> returns. Opening a file with this name must then happen
separately, and there is no guarantee that these operations will happen
atomically. Because of this, it may be possible for an attacker to interfere
with the file before it is opened.
</p>
<p>
Note that <code>mktemp</code> has been deprecated since Python 2.3.
</p>
</overview>

<recommendation>
<p>
Replace the use of <code>mktemp</code> with some of the more secure functions
in the <code>tempfile</code> module, such as <code>TemporaryFile</code>. If the
file is intended to be accessed from other processes, consider using the
<code>NamedTemporaryFile</code> function.
</p>
</recommendation>

<example>
<p>
The following piece of code opens a temporary file and writes a set of results
to it. Because the filename is created using <code>mktemp</code>, another
process may have accessed this file before it is opened using <code>open</code>.
</p>
<sample src="InsecureTemporaryFile.py" />

<p>
By changing the code to use <code>NamedTemporaryFile</code> instead, the file is
opened immediately.
</p>
<sample src="SecureTemporaryFile.py" />

</example>

<references>

<li>
Python Standard Library: <a href="https://docs.python.org/3/library/tempfile.html#tempfile.mktemp">tempfile.mktemp</a>.
</li>
</references>

</qhelp>