[Freewx-maint] Bug#775461: python-wxgtk3.0: wx.tools.img2py: insecure use of /tmp

Jakub Wilk jwilk at debian.org
Wed Jan 21 10:51:28 UTC 2015

Hi Olly!

* Olly Betts <olly at survex.com>, 2015-01-21, 10:48:
>I've come up with a patch (attached), but I'm not really a Python 
>programmer, so I'd appreciate a review to make sure I'm not doing 
>something dumb.

I'm busy, so I had only a quick look at the patch:

>-                    xmltemp = tempfile.mktemp('.xml')
>+                    xmltemp = tempfile.mkstemp('.xml')[1]

This leaks the file descriptor...

>+    (swigFile, swigDestTemp) = tempfile.mkstemp('.tmp')
>     swigFile.write(renamerTemplateStart % sys.argv[0])

Here swigFile is a file descriptor (an integer), which doesn't have a 
"write" method. So this doesn't work at all.

You probably want to use tempfile.NamedTemporaryFile, which gives you a 
file-like object, instead of mkstemp.

>-    pyFile = open(pyDestTemp, "w")
>+    (pyFile, pyDestTemp) = tempfile.mkstemp('.tmp')


>-                        self.f = open(filename, 'w')
>+                        (self.f,filename) = tempfile.mkstemp(dir=self.dir)
>+                        filename = os.path.abspath(filename)

Same problem again.

>-    tfname = tempfile.mktemp()
>+    tfname = tempfile.mkstemp()[1]

FD leak.

Sorry for being terse and not very constructive. If you want to trick 
;-) someone into writing a better patch for you, I'd suggest asking on 
debian-python at ldo.

Jakub Wilk

More information about the Freewx-maint mailing list