Ben Finney wrote: > How should a program generate a unique filesystem path and *not* create > the filesystem entry?
The Python documentation suggests that it should not. > The ‘tempfile.mktemp’ function is strongly deprecated, and rightly so > <URL:https://docs.python.org/3/library/tempfile.html#tempfile.mktemp> > because it leaves the program vulnerable to insecure file creation. > > In some code (e.g. unit tests) I am calling ‘tempfile.mktemp’ to > generate a unique path for a filesystem entry that I *do not want* to > exist on the real filesystem. In this case the filesystem security > concerns are irrelevant because there is no file. I do not think that you have properly understood the problems with tmpfile.mktemp(). > […] > It is also prone to that API function disappearing at some point in the > future, because it is explicitly and strongly deprecated. > > So I agree with the deprecation, but the library doesn't appear to > provide a replacement. | mktemp() usage can be replaced easily with NamedTemporaryFile(), passing | it the delete=False parameter: [example] > What standard library function should I be using to generate > ‘tempfile.mktemp’-like unique paths, and *not* ever create a real file > by that path? I do not think it is possible to avoid the creation of a real file using the PSL; in fact, that a file is created appears to be precisely what fixes the problems with tempfile.mktemp() because then it cannot happen that someone else creates a file with the same name at the same time: | tempfile.NamedTemporaryFile(mode='w+b', buffering=None, encoding=None, | newline=None, suffix=None, prefix=None, dir=None, delete=True) | | This function operates exactly as TemporaryFile() does, except that the | file is guaranteed to have a visible name in the file system (on Unix, the | directory entry is not unlinked). […] If delete is true (the default), the | file is deleted as soon as it is closed. […] It is of course possible to generate a filename that is not currently used, but I am not aware of a PSL feature that does this, and if there were such a feature there would be the same problems with it as with mktemp(). -- PointedEars Twitter: @PointedEars2 Please do not cc me. / Bitte keine Kopien per E-Mail. -- https://mail.python.org/mailman/listinfo/python-list
