[pkg] brutespray - review
Lukas Schwaighofer
lukas at schwaighofer.name
Sat Jul 22 20:06:37 UTC 2017
On Sat, 22 Jul 2017 21:12:11 +0200
Stéphane Neveu <stefneveu at gmail.com> wrote:
> >
> > However I read a bit of the python code and brutespray.py does some
> > things which will lead to unexpected results (e.g. it will basically
> > perform the equivalent of `rm tmp/*` on each startup, which is
> > something quite unexpected to do for a program that I start.
> >
> > Actually, I think that before we can improve on that behavior
> > (preferably by submitting a pull request upstream patching
> > brutespray to use a proper temporary directory), I think the
> > program is unsuitable for Debian. (I feel a bit personally
> > affected by this as I usually keep a ~/tmp dir with some stuff that
> > I am temporarily working on, so using this script could cause some
> > things I'm working on to be lost.)
> >
> > Maybe ask a DD here for advise? I also CCd Sophie, maybe she has an
> > advise or opinion as well.
> >
>
> if not os.path.exists("tmp/"):
> os.mkdir("tmp/")
> tmppath = "tmp/"
> filelist = os.listdir(tmppath)
> for filename in filelist:
> os.remove(tmppath+filename)
>
> Yes, that not really clean, I have to agree. No hope to fix that with
> simple patch that replaces tmp/ by /tmp/brutespray ?
> Nevertheless, I agree with you, it would be sane to submit a patch
> upstream.
I didn't look closely how the tmp directory is used by brutespray. If
it is a temporary directory in the "usual" sense, a proper solution
would be to use the python tempfile module to create a temporary
directory and automatically clean that up. However, it really depends
on how brutespray uses that directory…
Hardcoding /tmp/brutespray is not a proper solution… think of multiple
users on one system, for example, where this would cause problems.
Regards
Lukas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170722/e8f97bdc/attachment.sig>
More information about the Pkg-security-team
mailing list