tempfile/lib.rs
1//! This is a library for creating temporary files and directories that are automatically deleted
2//! when no longer referenced (i.e., on drop).
3//!
4//! - Use [`tempfile()`] when you need a real [`std::fs::File`] but don't need to refer to it
5//! by-path.
6//! - Use [`NamedTempFile::new()`] when you need a _named_ temporary file that can be refered to its
7//! path.
8//! - Use [`tempdir()`] when you need a temporary directory that will be recursively deleted on drop.
9//! - Use [`spooled_tempfile()`] when you need an in-memory buffer that will ultimately be backed by
10//! a temporary file if it gets too large.
11//!
12//! # Design
13//!
14//! This crate provides several approaches to creating temporary files and directories.
15//! [`tempfile()`] relies on the OS to remove the temporary file once the last handle is closed.
16//! [`TempDir`] and [`NamedTempFile`] both rely on Rust destructors for cleanup.
17//!
18//! ## Resource Leaking
19//!
20//! `tempfile` will (almost) never fail to cleanup temporary resources. However `TempDir` and
21//! `NamedTempFile` will fail if their destructors don't run. This is because `tempfile` relies on
22//! the OS to cleanup the underlying file, while `TempDir` and `NamedTempFile` rely on rust
23//! destructors to do so. Destructors may fail to run if the process exits through an unhandled
24//! signal interrupt (like `SIGINT`), or if the instance is declared statically (like with
25//! [`lazy_static`]), among other possible reasons.
26//!
27//! ## Unexpected File Deletion
28//!
29//! Most operating systems periodically clean up temporary files that haven't been accessed recently
30//! (often on the order of multiple days). This issue does not affect unnamed temporary files but
31//! can invalidate the paths associated with named temporary files on Unix-like systems because the
32//! temporary file can be unlinked from the filesystem while still open and in-use. See the
33//! [temporary file cleaner](#temporary-file-cleaners) section for more security implications.
34//!
35//! ## Security
36//!
37//! This section discusses security issues relevant to Unix-like operating systems that use shared
38//! temporary directories by default. Importantly, it's not relevant for Windows or macOS as both
39//! operating systems use private per-user temporary directories by default.
40//!
41//! Applications can mitigate the issues described below by using [`env::override_temp_dir`] to
42//! change the default temporary directory but should do so if and only if default the temporary
43//! directory ([`env::temp_dir`]) is unsuitable (is world readable, world writable, managed by a
44//! temporary file cleaner, etc.).
45//!
46//! ### Temporary File Cleaners
47//!
48//! In the presence of pathological temporary file cleaner, relying on file paths is unsafe because
49//! a temporary file cleaner could delete the temporary file which an attacker could then replace.
50//!
51//! This isn't an issue for [`tempfile`] as it doesn't rely on file paths. However, [`NamedTempFile`]
52//! and temporary directories _do_ rely on file paths for _some_ operations. See the security
53//! documentation on the [`NamedTempFile`] and the [`TempDir`] types for more information.
54//!
55//! Mitigation:
56//!
57//! - This is rarely an issue for short-lived files as temporary file cleaners usually only remove
58//! temporary files that haven't been modified or accessed within many (10-30) days.
59//! - Very long lived temporary files should be placed in directories not managed by temporary file
60//! cleaners.
61//!
62//! ### Access Permissions
63//!
64//! Temporary _files_ created with this library are private by default on all operating systems.
65//! However, temporary _directories_ are created with the default permissions and will therefore be
66//! world-readable by default unless the user has changed their umask and/or default temporary
67//! directory.
68//!
69//! ### Denial of Service
70//!
71//! If the file-name randomness ([`Builder::rand_bytes`]) is too small and/or this crate is built
72//! without the `getrandom` feature, it may be possible for an attacker to predict the random file
73//! names chosen by this library, preventing temporary file creation by creating temporary files
74//! with these predicted file names. By default, this library mitigates this denial of service
75//! attack by:
76//!
77//! 1. Defaulting to 6 random characters per temporary file forcing an attacker to create billions
78//! of files before random collisions are expected (at which point you probably have larger
79//! problems).
80//! 2. Re-seeding the random filename generator from system randomness after 3 failed attempts to
81//! create temporary a file (when the `getrandom` feature is enabled as it is by default on all
82//! major platforms).
83//!
84//! ## Early drop pitfall
85//!
86//! Because `TempDir` and `NamedTempFile` rely on their destructors for cleanup, this can lead
87//! to an unexpected early removal of the directory/file, usually when working with APIs which are
88//! generic over `AsRef<Path>`. Consider the following example:
89//!
90//! ```no_run
91//! use tempfile::tempdir;
92//! use std::process::Command;
93//!
94//! // Create a directory inside of `env::temp_dir()`.
95//! let temp_dir = tempdir()?;
96//!
97//! // Spawn the `touch` command inside the temporary directory and collect the exit status
98//! // Note that `temp_dir` is **not** moved into `current_dir`, but passed as a reference
99//! let exit_status = Command::new("touch").arg("tmp").current_dir(&temp_dir).status()?;
100//! assert!(exit_status.success());
101//!
102//! # Ok::<(), std::io::Error>(())
103//! ```
104//!
105//! This works because a reference to `temp_dir` is passed to `current_dir`, resulting in the
106//! destructor of `temp_dir` being run after the `Command` has finished execution. Moving the
107//! `TempDir` into the `current_dir` call would result in the `TempDir` being converted into
108//! an internal representation, with the original value being dropped and the directory thus
109//! being deleted, before the command can be executed.
110//!
111//! The `touch` command would fail with an `No such file or directory` error.
112//!
113//! ## Examples
114//!
115//! Create a temporary file and write some data into it:
116//!
117//! ```
118//! use tempfile::tempfile;
119//! use std::io::Write;
120//!
121//! // Create a file inside of `env::temp_dir()`.
122//! let mut file = tempfile()?;
123//!
124//! writeln!(file, "Brian was here. Briefly.")?;
125//! # Ok::<(), std::io::Error>(())
126//! ```
127//!
128//! Create a named temporary file and open an independent file handle:
129//!
130//! ```
131//! use tempfile::NamedTempFile;
132//! use std::io::{Write, Read};
133//!
134//! let text = "Brian was here. Briefly.";
135//!
136//! // Create a file inside of `env::temp_dir()`.
137//! let mut file1 = NamedTempFile::new()?;
138//!
139//! // Re-open it.
140//! let mut file2 = file1.reopen()?;
141//!
142//! // Write some test data to the first handle.
143//! file1.write_all(text.as_bytes())?;
144//!
145//! // Read the test data using the second handle.
146//! let mut buf = String::new();
147//! file2.read_to_string(&mut buf)?;
148//! assert_eq!(buf, text);
149//! # Ok::<(), std::io::Error>(())
150//! ```
151//!
152//! Create a temporary directory and add a file to it:
153//!
154//! ```
155//! use tempfile::tempdir;
156//! use std::fs::File;
157//! use std::io::Write;
158//!
159//! // Create a directory inside of `env::temp_dir()`.
160//! let dir = tempdir()?;
161//!
162//! let file_path = dir.path().join("my-temporary-note.txt");
163//! let mut file = File::create(file_path)?;
164//! writeln!(file, "Brian was here. Briefly.")?;
165//!
166//! // By closing the `TempDir` explicitly, we can check that it has
167//! // been deleted successfully. If we don't close it explicitly,
168//! // the directory will still be deleted when `dir` goes out
169//! // of scope, but we won't know whether deleting the directory
170//! // succeeded.
171//! drop(file);
172//! dir.close()?;
173//! # Ok::<(), std::io::Error>(())
174//! ```
175//!
176//! [`tempfile()`]: fn.tempfile.html
177//! [`tempdir()`]: fn.tempdir.html
178//! [`TempDir`]: struct.TempDir.html
179//! [`NamedTempFile`]: struct.NamedTempFile.html
180//! [`lazy_static`]: https://github.com/rust-lang-nursery/lazy-static.rs/issues/62
181
182#![doc(
183 html_logo_url = "https://www.rust-lang.org/logos/rust-logo-128x128-blk-v2.png",
184 html_favicon_url = "https://www.rust-lang.org/favicon.ico",
185 html_root_url = "https://docs.rs/tempfile/latest"
186)]
187#![cfg_attr(test, deny(warnings))]
188#![deny(rust_2018_idioms)]
189#![allow(clippy::redundant_field_names)]
190// wasip2 conditionally gates stdlib APIs.
191// https://github.com/rust-lang/rust/issues/130323
192#![cfg_attr(
193 all(feature = "nightly", target_os = "wasi", target_env = "p2"),
194 feature(wasip2)
195)]
196#![cfg_attr(all(feature = "nightly", target_os = "wasi"), feature(wasi_ext))]
197
198#[cfg(doctest)]
199doc_comment::doctest!("../README.md");
200
201const NUM_RETRIES: u32 = 65536;
202const NUM_RAND_CHARS: usize = 6;
203
204use std::ffi::OsStr;
205use std::fs::{OpenOptions, Permissions};
206use std::io;
207use std::path::Path;
208
209mod dir;
210mod error;
211mod file;
212mod spooled;
213mod util;
214
215pub mod env;
216
217pub use crate::dir::{tempdir, tempdir_in, TempDir};
218pub use crate::file::{
219 tempfile, tempfile_in, NamedTempFile, PathPersistError, PersistError, TempPath,
220};
221pub use crate::spooled::{spooled_tempfile, spooled_tempfile_in, SpooledData, SpooledTempFile};
222
223/// Create a new temporary file or directory with custom options.
224#[derive(Debug, Clone, Eq, PartialEq)]
225pub struct Builder<'a, 'b> {
226 random_len: usize,
227 prefix: &'a OsStr,
228 suffix: &'b OsStr,
229 append: bool,
230 permissions: Option<Permissions>,
231 disable_cleanup: bool,
232}
233
234impl Default for Builder<'_, '_> {
235 fn default() -> Self {
236 Builder {
237 random_len: crate::NUM_RAND_CHARS,
238 prefix: OsStr::new(".tmp"),
239 suffix: OsStr::new(""),
240 append: false,
241 permissions: None,
242 disable_cleanup: false,
243 }
244 }
245}
246
247impl<'a, 'b> Builder<'a, 'b> {
248 /// Create a new `Builder`.
249 ///
250 /// # Examples
251 ///
252 /// Create a named temporary file and write some data into it:
253 ///
254 /// ```
255 /// use std::ffi::OsStr;
256 /// use tempfile::Builder;
257 ///
258 /// let named_tempfile = Builder::new()
259 /// .prefix("my-temporary-note")
260 /// .suffix(".txt")
261 /// .rand_bytes(5)
262 /// .tempfile()?;
263 ///
264 /// let name = named_tempfile
265 /// .path()
266 /// .file_name().and_then(OsStr::to_str);
267 ///
268 /// if let Some(name) = name {
269 /// assert!(name.starts_with("my-temporary-note"));
270 /// assert!(name.ends_with(".txt"));
271 /// assert_eq!(name.len(), "my-temporary-note.txt".len() + 5);
272 /// }
273 /// # Ok::<(), std::io::Error>(())
274 /// ```
275 ///
276 /// Create a temporary directory and add a file to it:
277 ///
278 /// ```
279 /// use std::io::Write;
280 /// use std::fs::File;
281 /// use std::ffi::OsStr;
282 /// use tempfile::Builder;
283 ///
284 /// let dir = Builder::new()
285 /// .prefix("my-temporary-dir")
286 /// .rand_bytes(5)
287 /// .tempdir()?;
288 ///
289 /// let file_path = dir.path().join("my-temporary-note.txt");
290 /// let mut file = File::create(file_path)?;
291 /// writeln!(file, "Brian was here. Briefly.")?;
292 ///
293 /// // By closing the `TempDir` explicitly, we can check that it has
294 /// // been deleted successfully. If we don't close it explicitly,
295 /// // the directory will still be deleted when `dir` goes out
296 /// // of scope, but we won't know whether deleting the directory
297 /// // succeeded.
298 /// drop(file);
299 /// dir.close()?;
300 /// # Ok::<(), std::io::Error>(())
301 /// ```
302 ///
303 /// Create a temporary directory with a chosen prefix under a chosen folder:
304 ///
305 /// ```no_run
306 /// use tempfile::Builder;
307 ///
308 /// let dir = Builder::new()
309 /// .prefix("my-temporary-dir")
310 /// .tempdir_in("folder-with-tempdirs")?;
311 /// # Ok::<(), std::io::Error>(())
312 /// ```
313 #[must_use]
314 pub fn new() -> Self {
315 Self::default()
316 }
317
318 /// Set a custom filename prefix.
319 ///
320 /// Path separators are legal but not advisable.
321 /// Default: `.tmp`.
322 ///
323 /// # Examples
324 ///
325 /// ```
326 /// use tempfile::Builder;
327 ///
328 /// let named_tempfile = Builder::new()
329 /// .prefix("my-temporary-note")
330 /// .tempfile()?;
331 /// # Ok::<(), std::io::Error>(())
332 /// ```
333 pub fn prefix<S: AsRef<OsStr> + ?Sized>(&mut self, prefix: &'a S) -> &mut Self {
334 self.prefix = prefix.as_ref();
335 self
336 }
337
338 /// Set a custom filename suffix.
339 ///
340 /// Path separators are legal but not advisable.
341 /// Default: empty.
342 ///
343 /// # Examples
344 ///
345 /// ```
346 /// use tempfile::Builder;
347 ///
348 /// let named_tempfile = Builder::new()
349 /// .suffix(".txt")
350 /// .tempfile()?;
351 /// # Ok::<(), std::io::Error>(())
352 /// ```
353 pub fn suffix<S: AsRef<OsStr> + ?Sized>(&mut self, suffix: &'b S) -> &mut Self {
354 self.suffix = suffix.as_ref();
355 self
356 }
357
358 /// Set the number of random bytes.
359 ///
360 /// Default: `6`.
361 ///
362 /// # Examples
363 ///
364 /// ```
365 /// use tempfile::Builder;
366 ///
367 /// let named_tempfile = Builder::new()
368 /// .rand_bytes(5)
369 /// .tempfile()?;
370 /// # Ok::<(), std::io::Error>(())
371 /// ```
372 pub fn rand_bytes(&mut self, rand: usize) -> &mut Self {
373 self.random_len = rand;
374 self
375 }
376
377 /// Configure the file to be opened in append-only mode.
378 ///
379 /// Default: `false`.
380 ///
381 /// # Examples
382 ///
383 /// ```
384 /// use tempfile::Builder;
385 ///
386 /// let named_tempfile = Builder::new()
387 /// .append(true)
388 /// .tempfile()?;
389 /// # Ok::<(), std::io::Error>(())
390 /// ```
391 pub fn append(&mut self, append: bool) -> &mut Self {
392 self.append = append;
393 self
394 }
395
396 /// Set the permissions for the new temporary file/directory.
397 ///
398 /// # Platform Notes
399 ///
400 /// ## Windows
401 ///
402 /// This setting is only fully-supported on unix-like platforms. On Windows, if this method is
403 /// called with a [`Permissions`] object where `permissions.readonly` returns true, creating
404 /// temporary files and directories will fail with an error.
405 ///
406 /// ## Unix
407 ///
408 /// On unix-like systems, the actual permission bits set on the tempfile or tempdir will be
409 /// affected by the `umask` applied by the underlying syscall. The actual permission bits are
410 /// calculated via `permissions & !umask`. In other words, depending on your umask, the
411 /// permissions of the created file may be more restrictive (but never more permissive) than the
412 /// ones you specified.
413 ///
414 /// Permissions default to `0o600` for tempfiles and `0o777` for tempdirs. Note, this doesn't
415 /// include effects of the current `umask`. For example, combined with the standard umask
416 /// `0o022`, the defaults yield `0o600` for tempfiles and `0o755` for tempdirs.
417 ///
418 /// ## WASI
419 ///
420 /// While custom permissions are allowed on WASI, they will be ignored as the platform has no
421 /// concept of permissions or file modes (or multiple users for that matter).
422 ///
423 /// # Examples
424 ///
425 /// Create a named temporary file that is world-readable.
426 ///
427 /// ```
428 /// # #[cfg(unix)]
429 /// # {
430 /// use tempfile::Builder;
431 /// use std::os::unix::fs::PermissionsExt;
432 ///
433 /// let all_read_write = std::fs::Permissions::from_mode(0o666);
434 /// let tempfile = Builder::new().permissions(all_read_write).tempfile()?;
435 ///
436 /// // Check that this worked and that the file is world-readable.
437 /// //
438 /// // NOTE: the file likely won't actually be created with 0o666 permissions because it's
439 /// // restricted by the user's umask.
440 /// //
441 /// // NOTE: This test will fail if the user's umask is, e.g., 0o066.
442 /// let actual_permissions = tempfile.path().metadata()?.permissions();
443 /// assert_eq!(actual_permissions.mode() & 0o044, 0o044);
444 /// # }
445 /// # Ok::<(), std::io::Error>(())
446 /// ```
447 ///
448 /// Create a named temporary directory that is restricted to the owner.
449 ///
450 /// ```
451 /// # #[cfg(unix)]
452 /// # {
453 /// use tempfile::Builder;
454 /// use std::os::unix::fs::PermissionsExt;
455 ///
456 /// let owner_rwx = std::fs::Permissions::from_mode(0o700);
457 /// let tempdir = Builder::new().permissions(owner_rwx).tempdir()?;
458 /// let actual_permissions = tempdir.path().metadata()?.permissions();
459 /// assert_eq!(
460 /// actual_permissions.mode() & !0o170000,
461 /// 0o700,
462 /// "we get the narrow permissions we asked for"
463 /// );
464 /// # }
465 /// # Ok::<(), std::io::Error>(())
466 /// ```
467 pub fn permissions(&mut self, permissions: Permissions) -> &mut Self {
468 self.permissions = Some(permissions);
469 self
470 }
471
472 /// Disable cleanup of the file/folder to even when the [`NamedTempFile`]/[`TempDir`] goes out
473 /// of scope. Prefer [`NamedTempFile::keep`] and `[`TempDir::keep`] where possible,
474 /// `disable_cleanup` is provided for testing & debugging.
475 ///
476 /// By default, the file/folder is automatically cleaned up in the destructor of
477 /// [`NamedTempFile`]/[`TempDir`]. When `disable_cleanup` is set to `true`, this behavior is
478 /// suppressed. If you wish to disable cleanup after creating a temporary file/directory, call
479 /// [`NamedTempFile::disable_cleanup`] or [`TempDir::disable_cleanup`].
480 ///
481 /// # Warnings
482 ///
483 /// On some platforms (for now, only Windows), temporary files are marked with a special
484 /// "temporary file" (`FILE_ATTRIBUTE_TEMPORARY`) attribute. Disabling cleanup _will not_ unset
485 /// this attribute while calling [`NamedTempFile::keep`] will.
486 ///
487 /// # Examples
488 ///
489 /// ```
490 /// use tempfile::Builder;
491 ///
492 /// let named_tempfile = Builder::new()
493 /// .disable_cleanup(true)
494 /// .tempfile()?;
495 /// # Ok::<(), std::io::Error>(())
496 /// ```
497 pub fn disable_cleanup(&mut self, disable_cleanup: bool) -> &mut Self {
498 self.disable_cleanup = disable_cleanup;
499 self
500 }
501
502 /// Deprecated alias for [`Builder::disable_cleanup`].
503 #[deprecated = "Use Builder::disable_cleanup"]
504 pub fn keep(&mut self, keep: bool) -> &mut Self {
505 self.disable_cleanup(keep)
506 }
507
508 /// Create the named temporary file.
509 ///
510 /// # Security
511 ///
512 /// See [the security][security] docs on `NamedTempFile`.
513 ///
514 /// # Resource leaking
515 ///
516 /// See [the resource leaking][resource-leaking] docs on `NamedTempFile`.
517 ///
518 /// # Errors
519 ///
520 /// If the file cannot be created, `Err` is returned.
521 ///
522 /// # Examples
523 ///
524 /// ```
525 /// use tempfile::Builder;
526 ///
527 /// let tempfile = Builder::new().tempfile()?;
528 /// # Ok::<(), std::io::Error>(())
529 /// ```
530 ///
531 /// [security]: struct.NamedTempFile.html#security
532 /// [resource-leaking]: struct.NamedTempFile.html#resource-leaking
533 pub fn tempfile(&self) -> io::Result<NamedTempFile> {
534 self.tempfile_in(env::temp_dir())
535 }
536
537 /// Create the named temporary file in the specified directory.
538 ///
539 /// # Security
540 ///
541 /// See [the security][security] docs on `NamedTempFile`.
542 ///
543 /// # Resource leaking
544 ///
545 /// See [the resource leaking][resource-leaking] docs on `NamedTempFile`.
546 ///
547 /// # Errors
548 ///
549 /// If the file cannot be created, `Err` is returned.
550 ///
551 /// # Examples
552 ///
553 /// ```
554 /// use tempfile::Builder;
555 ///
556 /// let tempfile = Builder::new().tempfile_in("./")?;
557 /// # Ok::<(), std::io::Error>(())
558 /// ```
559 ///
560 /// [security]: struct.NamedTempFile.html#security
561 /// [resource-leaking]: struct.NamedTempFile.html#resource-leaking
562 pub fn tempfile_in<P: AsRef<Path>>(&self, dir: P) -> io::Result<NamedTempFile> {
563 util::create_helper(
564 dir.as_ref(),
565 self.prefix,
566 self.suffix,
567 self.random_len,
568 |path| {
569 file::create_named(
570 path,
571 OpenOptions::new().append(self.append),
572 self.permissions.as_ref(),
573 self.disable_cleanup,
574 )
575 },
576 )
577 }
578
579 /// Attempts to make a temporary directory inside of [`env::temp_dir()`] whose
580 /// name will have the prefix, `prefix`. The directory and
581 /// everything inside it will be automatically deleted once the
582 /// returned `TempDir` is destroyed.
583 ///
584 /// # Resource leaking
585 ///
586 /// See [the resource leaking][resource-leaking] docs on `TempDir`.
587 ///
588 /// # Errors
589 ///
590 /// If the directory can not be created, `Err` is returned.
591 ///
592 /// # Examples
593 ///
594 /// ```
595 /// use tempfile::Builder;
596 ///
597 /// let tmp_dir = Builder::new().tempdir()?;
598 /// # Ok::<(), std::io::Error>(())
599 /// ```
600 ///
601 /// [resource-leaking]: struct.TempDir.html#resource-leaking
602 pub fn tempdir(&self) -> io::Result<TempDir> {
603 self.tempdir_in(env::temp_dir())
604 }
605
606 /// Attempts to make a temporary directory inside of `dir`.
607 /// The directory and everything inside it will be automatically
608 /// deleted once the returned `TempDir` is destroyed.
609 ///
610 /// # Resource leaking
611 ///
612 /// See [the resource leaking][resource-leaking] docs on `TempDir`.
613 ///
614 /// # Errors
615 ///
616 /// If the directory can not be created, `Err` is returned.
617 ///
618 /// # Examples
619 ///
620 /// ```
621 /// use tempfile::Builder;
622 ///
623 /// let tmp_dir = Builder::new().tempdir_in("./")?;
624 /// # Ok::<(), std::io::Error>(())
625 /// ```
626 ///
627 /// [resource-leaking]: struct.TempDir.html#resource-leaking
628 pub fn tempdir_in<P: AsRef<Path>>(&self, dir: P) -> io::Result<TempDir> {
629 util::create_helper(
630 dir.as_ref(),
631 self.prefix,
632 self.suffix,
633 self.random_len,
634 |path| dir::create(path, self.permissions.as_ref(), self.disable_cleanup),
635 )
636 }
637
638 /// Attempts to create a temporary file (or file-like object) using the
639 /// provided closure. The closure is passed a temporary file path and
640 /// returns an [`std::io::Result`]. The path provided to the closure will be
641 /// inside of [`env::temp_dir()`]. Use [`Builder::make_in`] to provide
642 /// a custom temporary directory. If the closure returns one of the
643 /// following errors, then another randomized file path is tried:
644 /// - [`std::io::ErrorKind::AlreadyExists`]
645 /// - [`std::io::ErrorKind::AddrInUse`]
646 ///
647 /// This can be helpful for taking full control over the file creation, but
648 /// leaving the temporary file path construction up to the library. This
649 /// also enables creating a temporary UNIX domain socket, since it is not
650 /// possible to bind to a socket that already exists.
651 ///
652 /// Note that [`Builder::append`] is ignored when using [`Builder::make`].
653 ///
654 /// # Security
655 ///
656 /// This has the same [security implications][security] as
657 /// [`NamedTempFile`], but with additional caveats. Specifically, it is up
658 /// to the closure to ensure that the file does not exist and that such a
659 /// check is *atomic*. Otherwise, a [time-of-check to time-of-use
660 /// bug][TOCTOU] could be introduced.
661 ///
662 /// For example, the following is **not** secure:
663 ///
664 /// ```
665 /// use std::fs::File;
666 /// use tempfile::Builder;
667 ///
668 /// // This is NOT secure!
669 /// let tempfile = Builder::new().make(|path| {
670 /// if path.is_file() {
671 /// return Err(std::io::ErrorKind::AlreadyExists.into());
672 /// }
673 ///
674 /// // Between the check above and the usage below, an attacker could
675 /// // have replaced `path` with another file, which would get truncated
676 /// // by `File::create`.
677 ///
678 /// File::create(path)
679 /// })?;
680 /// # Ok::<(), std::io::Error>(())
681 /// ```
682 ///
683 /// Note that simply using [`std::fs::File::create`] alone is not correct
684 /// because it does not fail if the file already exists:
685 ///
686 /// ```
687 /// use tempfile::Builder;
688 /// use std::fs::File;
689 ///
690 /// // This could overwrite an existing file!
691 /// let tempfile = Builder::new().make(|path| File::create(path))?;
692 /// # Ok::<(), std::io::Error>(())
693 /// ```
694 /// For creating regular temporary files, use [`Builder::tempfile`] instead
695 /// to avoid these problems. This function is meant to enable more exotic
696 /// use-cases.
697 ///
698 /// # Resource leaking
699 ///
700 /// See [the resource leaking][resource-leaking] docs on `NamedTempFile`.
701 ///
702 /// # Errors
703 ///
704 /// If the closure returns any error besides
705 /// [`std::io::ErrorKind::AlreadyExists`] or
706 /// [`std::io::ErrorKind::AddrInUse`], then `Err` is returned.
707 ///
708 /// # Examples
709 /// ```
710 /// # #[cfg(unix)]
711 /// # {
712 /// use std::os::unix::net::UnixListener;
713 /// use tempfile::Builder;
714 ///
715 /// let tempsock = Builder::new().make(|path| UnixListener::bind(path))?;
716 /// # }
717 /// # Ok::<(), std::io::Error>(())
718 /// ```
719 ///
720 /// [TOCTOU]: https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
721 /// [security]: struct.NamedTempFile.html#security
722 /// [resource-leaking]: struct.NamedTempFile.html#resource-leaking
723 pub fn make<F, R>(&self, f: F) -> io::Result<NamedTempFile<R>>
724 where
725 F: FnMut(&Path) -> io::Result<R>,
726 {
727 self.make_in(env::temp_dir(), f)
728 }
729
730 /// This is the same as [`Builder::make`], except `dir` is used as the base
731 /// directory for the temporary file path.
732 ///
733 /// See [`Builder::make`] for more details and security implications.
734 ///
735 /// # Examples
736 /// ```
737 /// # #[cfg(unix)]
738 /// # {
739 /// use tempfile::Builder;
740 /// use std::os::unix::net::UnixListener;
741 ///
742 /// let tempsock = Builder::new().make_in("./", |path| UnixListener::bind(path))?;
743 /// # }
744 /// # Ok::<(), std::io::Error>(())
745 /// ```
746 pub fn make_in<F, R, P>(&self, dir: P, mut f: F) -> io::Result<NamedTempFile<R>>
747 where
748 F: FnMut(&Path) -> io::Result<R>,
749 P: AsRef<Path>,
750 {
751 util::create_helper(
752 dir.as_ref(),
753 self.prefix,
754 self.suffix,
755 self.random_len,
756 move |path| {
757 Ok(NamedTempFile::from_parts(
758 f(&path)?,
759 TempPath::new(path, self.disable_cleanup),
760 ))
761 },
762 )
763 }
764}