tempfile/
lib.rs

1//! This is a library for creating temporary files and directories that are automatically deleted
2//! when no longer referenced (i.e., on drop).
3//!
4//! - Use [`tempfile()`] when you need a real [`std::fs::File`] but don't need to refer to it
5//!   by-path.
6//! - Use [`NamedTempFile::new()`] when you need a _named_ temporary file that can be refered to its
7//!   path.
8//! - Use [`tempdir()`] when you need a temporary directory that will be recursively deleted on drop.
9//! - Use [`spooled_tempfile()`] when you need an in-memory buffer that will ultimately be backed by
10//!   a temporary file if it gets too large.
11//!
12//! # Design
13//!
14//! This crate provides several approaches to creating temporary files and directories.
15//! [`tempfile()`] relies on the OS to remove the temporary file once the last handle is closed.
16//! [`TempDir`] and [`NamedTempFile`] both rely on Rust destructors for cleanup.
17//!
18//! ## Resource Leaking
19//!
20//! `tempfile` will (almost) never fail to cleanup temporary resources. However `TempDir` and
21//! `NamedTempFile` will fail if their destructors don't run. This is because `tempfile` relies on
22//! the OS to cleanup the underlying file, while `TempDir` and `NamedTempFile` rely on rust
23//! destructors to do so. Destructors may fail to run if the process exits through an unhandled
24//! signal interrupt (like `SIGINT`), or if the instance is declared statically (like with
25//! [`lazy_static`]), among other possible reasons.
26//!
27//! ## Unexpected File Deletion
28//!
29//! Most operating systems periodically clean up temporary files that haven't been accessed recently
30//! (often on the order of multiple days). This issue does not affect unnamed temporary files but
31//! can invalidate the paths associated with named temporary files on Unix-like systems because the
32//! temporary file can be unlinked from the filesystem while still open and in-use. See the
33//! [temporary file cleaner](#temporary-file-cleaners) section for more security implications.
34//!
35//! ## Security
36//!
37//! This section discusses security issues relevant to Unix-like operating systems that use shared
38//! temporary directories by default. Importantly, it's not relevant for Windows or macOS as both
39//! operating systems use private per-user temporary directories by default.
40//!
41//! Applications can mitigate the issues described below by using [`env::override_temp_dir`] to
42//! change the default temporary directory but should do so if and only if default the temporary
43//! directory ([`env::temp_dir`]) is unsuitable (is world readable, world writable, managed by a
44//! temporary file cleaner, etc.).
45//!
46//! ### Temporary File Cleaners
47//!
48//! In the presence of pathological temporary file cleaner, relying on file paths is unsafe because
49//! a temporary file cleaner could delete the temporary file which an attacker could then replace.
50//!
51//! This isn't an issue for [`tempfile`] as it doesn't rely on file paths. However, [`NamedTempFile`]
52//! and temporary directories _do_ rely on file paths for _some_ operations. See the security
53//! documentation on the [`NamedTempFile`] and the [`TempDir`] types for more information.
54//!
55//! Mitigation:
56//!
57//! - This is rarely an issue for short-lived files as temporary file cleaners usually only remove
58//!   temporary files that haven't been modified or accessed within many (10-30) days.
59//! - Very long lived temporary files should be placed in directories not managed by temporary file
60//!   cleaners.
61//!
62//! ### Access Permissions
63//!
64//! Temporary _files_ created with this library are private by default on all operating systems.
65//! However, temporary _directories_ are created with the default permissions and will therefore be
66//! world-readable by default unless the user has changed their umask and/or default temporary
67//! directory.
68//!
69//! ### Denial of Service
70//!
71//! If the file-name randomness ([`Builder::rand_bytes`]) is too small and/or this crate is built
72//! without the `getrandom` feature, it may be possible for an attacker to predict the random file
73//! names chosen by this library, preventing temporary file creation by creating temporary files
74//! with these predicted file names. By default, this library mitigates this denial of service
75//! attack by:
76//!
77//! 1. Defaulting to 6 random characters per temporary file forcing an attacker to create billions
78//!    of files before random collisions are expected (at which point you probably have larger
79//!    problems).
80//! 2. Re-seeding the random filename generator from system randomness after 3 failed attempts to
81//!    create temporary a file (when the `getrandom` feature is enabled as it is by default on all
82//!    major platforms).
83//!
84//! ## Early drop pitfall
85//!
86//! Because `TempDir` and `NamedTempFile` rely on their destructors for cleanup, this can lead
87//! to an unexpected early removal of the directory/file, usually when working with APIs which are
88//! generic over `AsRef<Path>`. Consider the following example:
89//!
90//! ```no_run
91//! use tempfile::tempdir;
92//! use std::process::Command;
93//!
94//! // Create a directory inside of `env::temp_dir()`.
95//! let temp_dir = tempdir()?;
96//!
97//! // Spawn the `touch` command inside the temporary directory and collect the exit status
98//! // Note that `temp_dir` is **not** moved into `current_dir`, but passed as a reference
99//! let exit_status = Command::new("touch").arg("tmp").current_dir(&temp_dir).status()?;
100//! assert!(exit_status.success());
101//!
102//! # Ok::<(), std::io::Error>(())
103//! ```
104//!
105//! This works because a reference to `temp_dir` is passed to `current_dir`, resulting in the
106//! destructor of `temp_dir` being run after the `Command` has finished execution. Moving the
107//! `TempDir` into the `current_dir` call would result in the `TempDir` being converted into
108//! an internal representation, with the original value being dropped and the directory thus
109//! being deleted, before the command can be executed.
110//!
111//! The `touch` command would fail with an `No such file or directory` error.
112//!
113//! ## Examples
114//!
115//! Create a temporary file and write some data into it:
116//!
117//! ```
118//! use tempfile::tempfile;
119//! use std::io::Write;
120//!
121//! // Create a file inside of `env::temp_dir()`.
122//! let mut file = tempfile()?;
123//!
124//! writeln!(file, "Brian was here. Briefly.")?;
125//! # Ok::<(), std::io::Error>(())
126//! ```
127//!
128//! Create a named temporary file and open an independent file handle:
129//!
130//! ```
131//! use tempfile::NamedTempFile;
132//! use std::io::{Write, Read};
133//!
134//! let text = "Brian was here. Briefly.";
135//!
136//! // Create a file inside of `env::temp_dir()`.
137//! let mut file1 = NamedTempFile::new()?;
138//!
139//! // Re-open it.
140//! let mut file2 = file1.reopen()?;
141//!
142//! // Write some test data to the first handle.
143//! file1.write_all(text.as_bytes())?;
144//!
145//! // Read the test data using the second handle.
146//! let mut buf = String::new();
147//! file2.read_to_string(&mut buf)?;
148//! assert_eq!(buf, text);
149//! # Ok::<(), std::io::Error>(())
150//! ```
151//!
152//! Create a temporary directory and add a file to it:
153//!
154//! ```
155//! use tempfile::tempdir;
156//! use std::fs::File;
157//! use std::io::Write;
158//!
159//! // Create a directory inside of `env::temp_dir()`.
160//! let dir = tempdir()?;
161//!
162//! let file_path = dir.path().join("my-temporary-note.txt");
163//! let mut file = File::create(file_path)?;
164//! writeln!(file, "Brian was here. Briefly.")?;
165//!
166//! // By closing the `TempDir` explicitly, we can check that it has
167//! // been deleted successfully. If we don't close it explicitly,
168//! // the directory will still be deleted when `dir` goes out
169//! // of scope, but we won't know whether deleting the directory
170//! // succeeded.
171//! drop(file);
172//! dir.close()?;
173//! # Ok::<(), std::io::Error>(())
174//! ```
175//!
176//! [`tempfile()`]: fn.tempfile.html
177//! [`tempdir()`]: fn.tempdir.html
178//! [`TempDir`]: struct.TempDir.html
179//! [`NamedTempFile`]: struct.NamedTempFile.html
180//! [`lazy_static`]: https://github.com/rust-lang-nursery/lazy-static.rs/issues/62
181
182#![doc(
183    html_logo_url = "https://www.rust-lang.org/logos/rust-logo-128x128-blk-v2.png",
184    html_favicon_url = "https://www.rust-lang.org/favicon.ico",
185    html_root_url = "https://docs.rs/tempfile/latest"
186)]
187#![cfg_attr(test, deny(warnings))]
188#![deny(rust_2018_idioms)]
189#![allow(clippy::redundant_field_names)]
190// wasip2 conditionally gates stdlib APIs.
191// https://github.com/rust-lang/rust/issues/130323
192#![cfg_attr(
193    all(feature = "nightly", target_os = "wasi", target_env = "p2"),
194    feature(wasip2)
195)]
196#![cfg_attr(all(feature = "nightly", target_os = "wasi"), feature(wasi_ext))]
197
198#[cfg(doctest)]
199doc_comment::doctest!("../README.md");
200
201const NUM_RETRIES: u32 = 65536;
202const NUM_RAND_CHARS: usize = 6;
203
204use std::ffi::OsStr;
205use std::fs::{OpenOptions, Permissions};
206use std::io;
207use std::path::Path;
208
209mod dir;
210mod error;
211mod file;
212mod spooled;
213mod util;
214
215pub mod env;
216
217pub use crate::dir::{tempdir, tempdir_in, TempDir};
218pub use crate::file::{
219    tempfile, tempfile_in, NamedTempFile, PathPersistError, PersistError, TempPath,
220};
221pub use crate::spooled::{spooled_tempfile, spooled_tempfile_in, SpooledData, SpooledTempFile};
222
223/// Create a new temporary file or directory with custom options.
224#[derive(Debug, Clone, Eq, PartialEq)]
225pub struct Builder<'a, 'b> {
226    random_len: usize,
227    prefix: &'a OsStr,
228    suffix: &'b OsStr,
229    append: bool,
230    permissions: Option<Permissions>,
231    disable_cleanup: bool,
232}
233
234impl Default for Builder<'_, '_> {
235    fn default() -> Self {
236        Builder {
237            random_len: crate::NUM_RAND_CHARS,
238            prefix: OsStr::new(".tmp"),
239            suffix: OsStr::new(""),
240            append: false,
241            permissions: None,
242            disable_cleanup: false,
243        }
244    }
245}
246
247impl<'a, 'b> Builder<'a, 'b> {
248    /// Create a new `Builder`.
249    ///
250    /// # Examples
251    ///
252    /// Create a named temporary file and write some data into it:
253    ///
254    /// ```
255    /// use std::ffi::OsStr;
256    /// use tempfile::Builder;
257    ///
258    /// let named_tempfile = Builder::new()
259    ///     .prefix("my-temporary-note")
260    ///     .suffix(".txt")
261    ///     .rand_bytes(5)
262    ///     .tempfile()?;
263    ///
264    /// let name = named_tempfile
265    ///     .path()
266    ///     .file_name().and_then(OsStr::to_str);
267    ///
268    /// if let Some(name) = name {
269    ///     assert!(name.starts_with("my-temporary-note"));
270    ///     assert!(name.ends_with(".txt"));
271    ///     assert_eq!(name.len(), "my-temporary-note.txt".len() + 5);
272    /// }
273    /// # Ok::<(), std::io::Error>(())
274    /// ```
275    ///
276    /// Create a temporary directory and add a file to it:
277    ///
278    /// ```
279    /// use std::io::Write;
280    /// use std::fs::File;
281    /// use std::ffi::OsStr;
282    /// use tempfile::Builder;
283    ///
284    /// let dir = Builder::new()
285    ///     .prefix("my-temporary-dir")
286    ///     .rand_bytes(5)
287    ///     .tempdir()?;
288    ///
289    /// let file_path = dir.path().join("my-temporary-note.txt");
290    /// let mut file = File::create(file_path)?;
291    /// writeln!(file, "Brian was here. Briefly.")?;
292    ///
293    /// // By closing the `TempDir` explicitly, we can check that it has
294    /// // been deleted successfully. If we don't close it explicitly,
295    /// // the directory will still be deleted when `dir` goes out
296    /// // of scope, but we won't know whether deleting the directory
297    /// // succeeded.
298    /// drop(file);
299    /// dir.close()?;
300    /// # Ok::<(), std::io::Error>(())
301    /// ```
302    ///
303    /// Create a temporary directory with a chosen prefix under a chosen folder:
304    ///
305    /// ```no_run
306    /// use tempfile::Builder;
307    ///
308    /// let dir = Builder::new()
309    ///     .prefix("my-temporary-dir")
310    ///     .tempdir_in("folder-with-tempdirs")?;
311    /// # Ok::<(), std::io::Error>(())
312    /// ```
313    #[must_use]
314    pub fn new() -> Self {
315        Self::default()
316    }
317
318    /// Set a custom filename prefix.
319    ///
320    /// Path separators are legal but not advisable.
321    /// Default: `.tmp`.
322    ///
323    /// # Examples
324    ///
325    /// ```
326    /// use tempfile::Builder;
327    ///
328    /// let named_tempfile = Builder::new()
329    ///     .prefix("my-temporary-note")
330    ///     .tempfile()?;
331    /// # Ok::<(), std::io::Error>(())
332    /// ```
333    pub fn prefix<S: AsRef<OsStr> + ?Sized>(&mut self, prefix: &'a S) -> &mut Self {
334        self.prefix = prefix.as_ref();
335        self
336    }
337
338    /// Set a custom filename suffix.
339    ///
340    /// Path separators are legal but not advisable.
341    /// Default: empty.
342    ///
343    /// # Examples
344    ///
345    /// ```
346    /// use tempfile::Builder;
347    ///
348    /// let named_tempfile = Builder::new()
349    ///     .suffix(".txt")
350    ///     .tempfile()?;
351    /// # Ok::<(), std::io::Error>(())
352    /// ```
353    pub fn suffix<S: AsRef<OsStr> + ?Sized>(&mut self, suffix: &'b S) -> &mut Self {
354        self.suffix = suffix.as_ref();
355        self
356    }
357
358    /// Set the number of random bytes.
359    ///
360    /// Default: `6`.
361    ///
362    /// # Examples
363    ///
364    /// ```
365    /// use tempfile::Builder;
366    ///
367    /// let named_tempfile = Builder::new()
368    ///     .rand_bytes(5)
369    ///     .tempfile()?;
370    /// # Ok::<(), std::io::Error>(())
371    /// ```
372    pub fn rand_bytes(&mut self, rand: usize) -> &mut Self {
373        self.random_len = rand;
374        self
375    }
376
377    /// Configure the file to be opened in append-only mode.
378    ///
379    /// Default: `false`.
380    ///
381    /// # Examples
382    ///
383    /// ```
384    /// use tempfile::Builder;
385    ///
386    /// let named_tempfile = Builder::new()
387    ///     .append(true)
388    ///     .tempfile()?;
389    /// # Ok::<(), std::io::Error>(())
390    /// ```
391    pub fn append(&mut self, append: bool) -> &mut Self {
392        self.append = append;
393        self
394    }
395
396    /// Set the permissions for the new temporary file/directory.
397    ///
398    /// # Platform Notes
399    ///
400    /// ## Windows
401    ///
402    /// This setting is only fully-supported on unix-like platforms. On Windows, if this method is
403    /// called with a [`Permissions`] object where `permissions.readonly` returns true, creating
404    /// temporary files and directories will fail with an error.
405    ///
406    /// ## Unix
407    ///
408    /// On unix-like systems, the actual permission bits set on the tempfile or tempdir will be
409    /// affected by the `umask` applied by the underlying syscall. The actual permission bits are
410    /// calculated via `permissions & !umask`. In other words, depending on your umask, the
411    /// permissions of the created file may be more restrictive (but never more permissive) than the
412    /// ones you specified.
413    ///
414    /// Permissions default to `0o600` for tempfiles and `0o777` for tempdirs. Note, this doesn't
415    /// include effects of the current `umask`. For example, combined with the standard umask
416    /// `0o022`, the defaults yield `0o600` for tempfiles and `0o755` for tempdirs.
417    ///
418    /// ## WASI
419    ///
420    /// While custom permissions are allowed on WASI, they will be ignored as the platform has no
421    /// concept of permissions or file modes (or multiple users for that matter).
422    ///
423    /// # Examples
424    ///
425    /// Create a named temporary file that is world-readable.
426    ///
427    /// ```
428    /// # #[cfg(unix)]
429    /// # {
430    /// use tempfile::Builder;
431    /// use std::os::unix::fs::PermissionsExt;
432    ///
433    /// let all_read_write = std::fs::Permissions::from_mode(0o666);
434    /// let tempfile = Builder::new().permissions(all_read_write).tempfile()?;
435    ///
436    /// // Check that this worked and that the file is world-readable.
437    /// //
438    /// // NOTE: the file likely won't actually be created with 0o666 permissions because it's
439    /// // restricted by the user's umask.
440    /// //
441    /// // NOTE: This test will fail if the user's umask is, e.g., 0o066.
442    /// let actual_permissions = tempfile.path().metadata()?.permissions();
443    /// assert_eq!(actual_permissions.mode() & 0o044, 0o044);
444    /// # }
445    /// # Ok::<(), std::io::Error>(())
446    /// ```
447    ///
448    /// Create a named temporary directory that is restricted to the owner.
449    ///
450    /// ```
451    /// # #[cfg(unix)]
452    /// # {
453    /// use tempfile::Builder;
454    /// use std::os::unix::fs::PermissionsExt;
455    ///
456    /// let owner_rwx = std::fs::Permissions::from_mode(0o700);
457    /// let tempdir = Builder::new().permissions(owner_rwx).tempdir()?;
458    /// let actual_permissions = tempdir.path().metadata()?.permissions();
459    /// assert_eq!(
460    ///     actual_permissions.mode() & !0o170000,
461    ///     0o700,
462    ///     "we get the narrow permissions we asked for"
463    /// );
464    /// # }
465    /// # Ok::<(), std::io::Error>(())
466    /// ```
467    pub fn permissions(&mut self, permissions: Permissions) -> &mut Self {
468        self.permissions = Some(permissions);
469        self
470    }
471
472    /// Disable cleanup of the file/folder to even when the [`NamedTempFile`]/[`TempDir`] goes out
473    /// of scope. Prefer [`NamedTempFile::keep`] and `[`TempDir::keep`] where possible,
474    /// `disable_cleanup` is provided for testing & debugging.
475    ///
476    /// By default, the file/folder is automatically cleaned up in the destructor of
477    /// [`NamedTempFile`]/[`TempDir`]. When `disable_cleanup` is set to `true`, this behavior is
478    /// suppressed. If you wish to disable cleanup after creating a temporary file/directory, call
479    /// [`NamedTempFile::disable_cleanup`] or [`TempDir::disable_cleanup`].
480    ///
481    /// # Warnings
482    ///
483    /// On some platforms (for now, only Windows), temporary files are marked with a special
484    /// "temporary file" (`FILE_ATTRIBUTE_TEMPORARY`) attribute. Disabling cleanup _will not_ unset
485    /// this attribute while calling [`NamedTempFile::keep`] will.
486    ///
487    /// # Examples
488    ///
489    /// ```
490    /// use tempfile::Builder;
491    ///
492    /// let named_tempfile = Builder::new()
493    ///     .disable_cleanup(true)
494    ///     .tempfile()?;
495    /// # Ok::<(), std::io::Error>(())
496    /// ```
497    pub fn disable_cleanup(&mut self, disable_cleanup: bool) -> &mut Self {
498        self.disable_cleanup = disable_cleanup;
499        self
500    }
501
502    /// Deprecated alias for [`Builder::disable_cleanup`].
503    #[deprecated = "Use Builder::disable_cleanup"]
504    pub fn keep(&mut self, keep: bool) -> &mut Self {
505        self.disable_cleanup(keep)
506    }
507
508    /// Create the named temporary file.
509    ///
510    /// # Security
511    ///
512    /// See [the security][security] docs on `NamedTempFile`.
513    ///
514    /// # Resource leaking
515    ///
516    /// See [the resource leaking][resource-leaking] docs on `NamedTempFile`.
517    ///
518    /// # Errors
519    ///
520    /// If the file cannot be created, `Err` is returned.
521    ///
522    /// # Examples
523    ///
524    /// ```
525    /// use tempfile::Builder;
526    ///
527    /// let tempfile = Builder::new().tempfile()?;
528    /// # Ok::<(), std::io::Error>(())
529    /// ```
530    ///
531    /// [security]: struct.NamedTempFile.html#security
532    /// [resource-leaking]: struct.NamedTempFile.html#resource-leaking
533    pub fn tempfile(&self) -> io::Result<NamedTempFile> {
534        self.tempfile_in(env::temp_dir())
535    }
536
537    /// Create the named temporary file in the specified directory.
538    ///
539    /// # Security
540    ///
541    /// See [the security][security] docs on `NamedTempFile`.
542    ///
543    /// # Resource leaking
544    ///
545    /// See [the resource leaking][resource-leaking] docs on `NamedTempFile`.
546    ///
547    /// # Errors
548    ///
549    /// If the file cannot be created, `Err` is returned.
550    ///
551    /// # Examples
552    ///
553    /// ```
554    /// use tempfile::Builder;
555    ///
556    /// let tempfile = Builder::new().tempfile_in("./")?;
557    /// # Ok::<(), std::io::Error>(())
558    /// ```
559    ///
560    /// [security]: struct.NamedTempFile.html#security
561    /// [resource-leaking]: struct.NamedTempFile.html#resource-leaking
562    pub fn tempfile_in<P: AsRef<Path>>(&self, dir: P) -> io::Result<NamedTempFile> {
563        util::create_helper(
564            dir.as_ref(),
565            self.prefix,
566            self.suffix,
567            self.random_len,
568            |path| {
569                file::create_named(
570                    path,
571                    OpenOptions::new().append(self.append),
572                    self.permissions.as_ref(),
573                    self.disable_cleanup,
574                )
575            },
576        )
577    }
578
579    /// Attempts to make a temporary directory inside of [`env::temp_dir()`] whose
580    /// name will have the prefix, `prefix`. The directory and
581    /// everything inside it will be automatically deleted once the
582    /// returned `TempDir` is destroyed.
583    ///
584    /// # Resource leaking
585    ///
586    /// See [the resource leaking][resource-leaking] docs on `TempDir`.
587    ///
588    /// # Errors
589    ///
590    /// If the directory can not be created, `Err` is returned.
591    ///
592    /// # Examples
593    ///
594    /// ```
595    /// use tempfile::Builder;
596    ///
597    /// let tmp_dir = Builder::new().tempdir()?;
598    /// # Ok::<(), std::io::Error>(())
599    /// ```
600    ///
601    /// [resource-leaking]: struct.TempDir.html#resource-leaking
602    pub fn tempdir(&self) -> io::Result<TempDir> {
603        self.tempdir_in(env::temp_dir())
604    }
605
606    /// Attempts to make a temporary directory inside of `dir`.
607    /// The directory and everything inside it will be automatically
608    /// deleted once the returned `TempDir` is destroyed.
609    ///
610    /// # Resource leaking
611    ///
612    /// See [the resource leaking][resource-leaking] docs on `TempDir`.
613    ///
614    /// # Errors
615    ///
616    /// If the directory can not be created, `Err` is returned.
617    ///
618    /// # Examples
619    ///
620    /// ```
621    /// use tempfile::Builder;
622    ///
623    /// let tmp_dir = Builder::new().tempdir_in("./")?;
624    /// # Ok::<(), std::io::Error>(())
625    /// ```
626    ///
627    /// [resource-leaking]: struct.TempDir.html#resource-leaking
628    pub fn tempdir_in<P: AsRef<Path>>(&self, dir: P) -> io::Result<TempDir> {
629        util::create_helper(
630            dir.as_ref(),
631            self.prefix,
632            self.suffix,
633            self.random_len,
634            |path| dir::create(path, self.permissions.as_ref(), self.disable_cleanup),
635        )
636    }
637
638    /// Attempts to create a temporary file (or file-like object) using the
639    /// provided closure. The closure is passed a temporary file path and
640    /// returns an [`std::io::Result`]. The path provided to the closure will be
641    /// inside of [`env::temp_dir()`]. Use [`Builder::make_in`] to provide
642    /// a custom temporary directory. If the closure returns one of the
643    /// following errors, then another randomized file path is tried:
644    ///  - [`std::io::ErrorKind::AlreadyExists`]
645    ///  - [`std::io::ErrorKind::AddrInUse`]
646    ///
647    /// This can be helpful for taking full control over the file creation, but
648    /// leaving the temporary file path construction up to the library. This
649    /// also enables creating a temporary UNIX domain socket, since it is not
650    /// possible to bind to a socket that already exists.
651    ///
652    /// Note that [`Builder::append`] is ignored when using [`Builder::make`].
653    ///
654    /// # Security
655    ///
656    /// This has the same [security implications][security] as
657    /// [`NamedTempFile`], but with additional caveats. Specifically, it is up
658    /// to the closure to ensure that the file does not exist and that such a
659    /// check is *atomic*. Otherwise, a [time-of-check to time-of-use
660    /// bug][TOCTOU] could be introduced.
661    ///
662    /// For example, the following is **not** secure:
663    ///
664    /// ```
665    /// use std::fs::File;
666    /// use tempfile::Builder;
667    ///
668    /// // This is NOT secure!
669    /// let tempfile = Builder::new().make(|path| {
670    ///     if path.is_file() {
671    ///         return Err(std::io::ErrorKind::AlreadyExists.into());
672    ///     }
673    ///
674    ///     // Between the check above and the usage below, an attacker could
675    ///     // have replaced `path` with another file, which would get truncated
676    ///     // by `File::create`.
677    ///
678    ///     File::create(path)
679    /// })?;
680    /// # Ok::<(), std::io::Error>(())
681    /// ```
682    ///
683    /// Note that simply using [`std::fs::File::create`] alone is not correct
684    /// because it does not fail if the file already exists:
685    ///
686    /// ```
687    /// use tempfile::Builder;
688    /// use std::fs::File;
689    ///
690    /// // This could overwrite an existing file!
691    /// let tempfile = Builder::new().make(|path| File::create(path))?;
692    /// # Ok::<(), std::io::Error>(())
693    /// ```
694    /// For creating regular temporary files, use [`Builder::tempfile`] instead
695    /// to avoid these problems. This function is meant to enable more exotic
696    /// use-cases.
697    ///
698    /// # Resource leaking
699    ///
700    /// See [the resource leaking][resource-leaking] docs on `NamedTempFile`.
701    ///
702    /// # Errors
703    ///
704    /// If the closure returns any error besides
705    /// [`std::io::ErrorKind::AlreadyExists`] or
706    /// [`std::io::ErrorKind::AddrInUse`], then `Err` is returned.
707    ///
708    /// # Examples
709    /// ```
710    /// # #[cfg(unix)]
711    /// # {
712    /// use std::os::unix::net::UnixListener;
713    /// use tempfile::Builder;
714    ///
715    /// let tempsock = Builder::new().make(|path| UnixListener::bind(path))?;
716    /// # }
717    /// # Ok::<(), std::io::Error>(())
718    /// ```
719    ///
720    /// [TOCTOU]: https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
721    /// [security]: struct.NamedTempFile.html#security
722    /// [resource-leaking]: struct.NamedTempFile.html#resource-leaking
723    pub fn make<F, R>(&self, f: F) -> io::Result<NamedTempFile<R>>
724    where
725        F: FnMut(&Path) -> io::Result<R>,
726    {
727        self.make_in(env::temp_dir(), f)
728    }
729
730    /// This is the same as [`Builder::make`], except `dir` is used as the base
731    /// directory for the temporary file path.
732    ///
733    /// See [`Builder::make`] for more details and security implications.
734    ///
735    /// # Examples
736    /// ```
737    /// # #[cfg(unix)]
738    /// # {
739    /// use tempfile::Builder;
740    /// use std::os::unix::net::UnixListener;
741    ///
742    /// let tempsock = Builder::new().make_in("./", |path| UnixListener::bind(path))?;
743    /// # }
744    /// # Ok::<(), std::io::Error>(())
745    /// ```
746    pub fn make_in<F, R, P>(&self, dir: P, mut f: F) -> io::Result<NamedTempFile<R>>
747    where
748        F: FnMut(&Path) -> io::Result<R>,
749        P: AsRef<Path>,
750    {
751        util::create_helper(
752            dir.as_ref(),
753            self.prefix,
754            self.suffix,
755            self.random_len,
756            move |path| {
757                Ok(NamedTempFile::from_parts(
758                    f(&path)?,
759                    TempPath::new(path, self.disable_cleanup),
760                ))
761            },
762        )
763    }
764}