[Freewx-maint] Bug#775461: python-wxgtk3.0: wx.tools.img2py: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Wed Jan 21 10:51:28 UTC 2015
Hi Olly!
* Olly Betts <olly at survex.com>, 2015-01-21, 10:48:
>I've come up with a patch (attached), but I'm not really a Python
>programmer, so I'd appreciate a review to make sure I'm not doing
>something dumb.
I'm busy, so I had only a quick look at the patch:
>- xmltemp = tempfile.mktemp('.xml')
>+ xmltemp = tempfile.mkstemp('.xml')[1]
This leaks the file descriptor...
>+ (swigFile, swigDestTemp) = tempfile.mkstemp('.tmp')
> swigFile.write(renamerTemplateStart % sys.argv[0])
Here swigFile is a file descriptor (an integer), which doesn't have a
"write" method. So this doesn't work at all.
You probably want to use tempfile.NamedTemporaryFile, which gives you a
file-like object, instead of mkstemp.
>- pyFile = open(pyDestTemp, "w")
>+ (pyFile, pyDestTemp) = tempfile.mkstemp('.tmp')
Ditto.
>- self.f = open(filename, 'w')
>+ (self.f,filename) = tempfile.mkstemp(dir=self.dir)
>+ filename = os.path.abspath(filename)
Same problem again.
>- tfname = tempfile.mktemp()
>+ tfname = tempfile.mkstemp()[1]
FD leak.
Sorry for being terse and not very constructive. If you want to trick
;-) someone into writing a better patch for you, I'd suggest asking on
debian-python at ldo.
--
Jakub Wilk
More information about the Freewx-maint
mailing list