[Python-modules-team] Bug#737051: python-logilab-common: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Wed Jan 29 19:27:58 UTC 2014
Package: python-logilab-common
Version: 0.60.1-1
Severity: important
Tags: security
I saw these gems in logilab/common/pdf_ext.py:
def extract_keys_from_pdf(filename):
# what about using 'pdftk filename dump_data_fields' and parsing the output ?
os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
lines = file('/tmp/toto.fdf').readlines()
return extract_keys(lines)
def fill_pdf(infile, outfile, fields):
write_fields(file('/tmp/toto.fdf', 'w'), fields)
os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
--
Jakub Wilk
More information about the Python-modules-team
mailing list