From the tempfiles docs:

Security

Most operating systems employ temporary file cleaners to delete old temporary files. Unfortunately these temporary file cleaners don’t always reliably detect whether the temporary file is still being used.

Specifically, the following sequence of events can happen:

1. A user creates a temporary file with NamedTempFile::new().
2. Time passes.
3. The temporary file cleaner deletes (unlinks) the temporary file from the filesystem.
4. Some other program creates a new file to replace this deleted temporary file.
5. The user tries to re-open the temporary file (in the same program or in a different program) by path. Unfortunately, they’ll end up opening the file created by the other program, not the original file.

I'm inferring that the attack here is that some user creates their own temp file which could make your program do something malicious when it reads it.

How is the fact that operating systems can delete in-use temp files the root cause of this? Can another program on the system not just delete and replace a temp file while it's in use? Or even overwrite data without deleting and replacing the file?

For that matter, how is this any more risky than reading from the filesystem in general, not just a temporary file?

7 posts - 4 participants

Read full topic