STINNER Victor <vstin...@redhat.com> added the comment:
Ruby handled this issue as a vulnerability: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ The doc of "gettempprefix" says "This does not contain the directory component", so it is natural for users to think "prefix" will accept only a file name. Maybe we can silently truncated the directort part of the prefix to only keep the base name in stable branches, but raise an exception in Python 3.8? Or maybe emit a deprecation warning in Python 3.7? ---------- nosy: +vstinner _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35278> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com