[pkg] brutespray - review
Stéphane Neveu
stefneveu at gmail.com
Sun Jul 23 16:55:41 UTC 2017
Hi all,
2017-07-23 18:02 GMT+02:00 Gianfranco Costamagna <locutusofborg at debian.org>:
> Hello,
>
>
>>I didn't look closely how the tmp directory is used by brutespray. If
>>it is a temporary directory in the "usual" sense, a proper solution
>>would be to use the python tempfile module to create a temporary
>>directory and automatically clean that up. However, it really depends
>>on how brutespray uses that directory…
>
>
> true
>
>>Hardcoding /tmp/brutespray is not a proper solution… think of multiple
>>users on one system, for example, where this would cause problems.
>
>
> I agree, I use tmp too much, and I would be bothered a lot if it were
> deleted by a program.
> This is an RC bug in debian (causing data loss for other applications)
>
> BTW this seems to be not /tmp, but rather a "tmp" in the current directory.
> But this doesn't make it better, probably just worse
>
> if not os.path.exists("tmp/"):
> os.mkdir("tmp/")
> tmppath = "tmp/"
>
>
>
> Without having done a deep look at the code, I would use some mktemp function
> instead
> https://docs.python.org/2/library/tempfile.html
> tempfile.mktemp()
> '/tmp/tmpbFMFjp'
>
>
I'll work on a patch to do something like :
try:
tmppath = tempfile.mkdtemp(prefix="brutespray-tmp")
outputpath = tempfile.mkdtemp(prefix="brutespray-output")
except:
print "\nError while creating brutespray temporary directories"
...
then call the brute function with these new args. mktemp() is not used anymore
I'll submit it upstream when done.
Best regards,
Stephane
More information about the Pkg-security-team
mailing list