script: Change insecure mktemp to NamedTemporaryFile (#3444)

Deprecated mktemp function returns an arbitrary file name to use for a temporary file. However, the application does not immediately create/open this file. This introduces an opportunity for an attacker to interfere with the file to be created. Documentation on tempfile recommends replacing mktemp with NamedTemporaryFile. By doing this, there is no window between getting the temp file name and opening it.
OSGeo · Feb 22, 2024 · f3172de · f3172de
1 parent e0f9153
commit f3172de
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/python/grass/script/setup.py b/python/grass/script/setup.py
@@ -97,8 +97,8 @@
 
 def write_gisrc(dbase, location, mapset):
     """Write the ``gisrc`` file and return its path."""
-    gisrc = tmpfile.mktemp()
-    with open(gisrc, "w") as rc:
+    with tmpfile.NamedTemporaryFile(mode="w", delete=False) as rc:
+        gisrc = rc.name
         rc.write("GISDBASE: %s\n" % dbase)
         rc.write("LOCATION_NAME: %s\n" % location)
         rc.write("MAPSET: %s\n" % mapset)