[Python-modules-team] Bug#737051: python-logilab-common: insecure use of /tmp
Julien Cristau
julien.cristau at logilab.fr
Mon Feb 3 14:12:14 UTC 2014
Thanks for the report, Jakub.
On Wed, Jan 29, 2014 at 20:27:58 +0100, Jakub Wilk wrote:
> Package: python-logilab-common
> Version: 0.60.1-1
> Severity: important
> Tags: security
>
> I saw these gems in logilab/common/pdf_ext.py:
>
> def extract_keys_from_pdf(filename):
> # what about using 'pdftk filename dump_data_fields' and parsing the output ?
> os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
> lines = file('/tmp/toto.fdf').readlines()
> return extract_keys(lines)
>
> def fill_pdf(infile, outfile, fields):
> write_fields(file('/tmp/toto.fdf', 'w'), fields)
> os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
>
Tracked upstream as http://www.logilab.org/ticket/207561
On Wed, Jan 29, 2014 at 21:21:49 +0100, Jakub Wilk wrote:
> More vulnerable code in logilab/common/shellutils.py:
>
> class Execute:
> """This is a deadlock safe version of popen2 (no stdin), that returns
> an object with errorlevel, out and err.
> """
>
> def __init__(self, command):
> outfile = tempfile.mktemp()
> errfile = tempfile.mktemp()
> self.status = os.system("( %s ) >%s 2>%s" %
> (command, outfile, errfile)) >> 8
> self.out = open(outfile, "r").read()
> self.err = open(errfile, "r").read()
> os.remove(outfile)
> os.remove(errfile)
>
> From the tempfile.mktemp() docstring: “This function is unsafe and
> should not be used. The file name refers to a file that did not
> exist at some point, but by the time you get around to creating it,
> someone else may have beaten you to the punch.”
>
Tracked as http://www.logilab.org/ticket/207562
Cheers,
Julien
--
Julien Cristau <julien.cristau at logilab.fr>
Logilab http://www.logilab.fr/
Informatique scientifique & gestion de connaissances
More information about the Python-modules-team
mailing list