Skip to content
Permalink
Browse files Browse the repository at this point in the history
ENH: remove insecure mktemp use
mktemp only returns a filename, a malicous user could replace it before
it gets used.
  • Loading branch information
juliantaylor committed Feb 5, 2014
1 parent b785070 commit 0bb46c1
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 51 deletions.
34 changes: 16 additions & 18 deletions numpy/core/tests/test_memmap.py
@@ -1,7 +1,7 @@
from __future__ import division, absolute_import, print_function

import sys
from tempfile import NamedTemporaryFile, TemporaryFile, mktemp
from tempfile import NamedTemporaryFile, TemporaryFile
import os

from numpy import memmap
Expand Down Expand Up @@ -33,12 +33,11 @@ def test_roundtrip(self):
assert_array_equal(self.data, newfp)

def test_open_with_filename(self):
tmpname = mktemp('', 'mmap')
fp = memmap(tmpname, dtype=self.dtype, mode='w+',
shape=self.shape)
fp[:] = self.data[:]
del fp
os.unlink(tmpname)
with NamedTemporaryFile() as tmp:
fp = memmap(tmp.name, dtype=self.dtype, mode='w+',
shape=self.shape)
fp[:] = self.data[:]
del fp

def test_unnamed_file(self):
with TemporaryFile() as f:
Expand All @@ -55,17 +54,16 @@ def test_attributes(self):
del fp

def test_filename(self):
tmpname = mktemp('', 'mmap')
fp = memmap(tmpname, dtype=self.dtype, mode='w+',
shape=self.shape)
abspath = os.path.abspath(tmpname)
fp[:] = self.data[:]
self.assertEqual(abspath, fp.filename)
b = fp[:1]
self.assertEqual(abspath, b.filename)
del b
del fp
os.unlink(tmpname)
with NamedTemporaryFile() as tmp:
fp = memmap(tmp.name, dtype=self.dtype, mode='w+',
shape=self.shape)
abspath = os.path.abspath(tmp.name)
fp[:] = self.data[:]
self.assertEqual(abspath, fp.filename)
b = fp[:1]
self.assertEqual(abspath, b.filename)
del b
del fp

def test_filename_fileobj(self):
fp = memmap(self.tmpfp, dtype=self.dtype, mode="w+",
Expand Down
13 changes: 3 additions & 10 deletions numpy/core/tests/test_multiarray.py
Expand Up @@ -2316,12 +2316,11 @@ def setUp(self):
self.x = rand(shape) + rand(shape).astype(np.complex)*1j
self.x[0,:, 1] = [nan, inf, -inf, nan]
self.dtype = self.x.dtype
self.filename = tempfile.mktemp()
self.file = tempfile.NamedTemporaryFile()
self.filename = self.file.name

def tearDown(self):
if os.path.isfile(self.filename):
os.unlink(self.filename)
#tmp_file.close()
self.file.close()

def test_bool_fromstring(self):
v = np.array([True, False, True, False], dtype=np.bool_)
Expand Down Expand Up @@ -2349,7 +2348,6 @@ def test_roundtrip_file(self):
y = np.fromfile(f, dtype=self.dtype)
f.close()
assert_array_equal(y, self.x.flat)
os.unlink(self.filename)

def test_roundtrip_filename(self):
self.x.tofile(self.filename)
Expand Down Expand Up @@ -2402,8 +2400,6 @@ def test_file_position_after_fromfile(self):
f.close()
assert_equal(pos, 10, err_msg=err_msg)

os.unlink(self.filename)

def test_file_position_after_tofile(self):
# gh-4118
sizes = [io.DEFAULT_BUFFER_SIZE//8,
Expand Down Expand Up @@ -2431,8 +2427,6 @@ def test_file_position_after_tofile(self):
f.close()
assert_equal(pos, 10, err_msg=err_msg)

os.unlink(self.filename)

def _check_from(self, s, value, **kw):
y = np.fromstring(asbytes(s), **kw)
assert_array_equal(y, value)
Expand Down Expand Up @@ -2535,7 +2529,6 @@ def test_tofile_sep(self):
s = f.read()
f.close()
assert_equal(s, '1.51,2.0,3.51,4.0')
os.unlink(self.filename)

def test_tofile_format(self):
x = np.array([1.51, 2, 3.51, 4], dtype=float)
Expand Down
26 changes: 13 additions & 13 deletions numpy/f2py/__init__.py
Expand Up @@ -28,20 +28,20 @@ def compile(source,
from numpy.distutils.exec_command import exec_command
import tempfile
if source_fn is None:
fname = os.path.join(tempfile.mktemp()+'.f')
f = tempfile.NamedTemporaryFile(suffix='.f')
else:
fname = source_fn

f = open(fname, 'w')
f.write(source)
f.close()

args = ' -c -m %s %s %s'%(modulename, fname, extra_args)
c = '%s -c "import numpy.f2py as f2py2e;f2py2e.main()" %s' %(sys.executable, args)
s, o = exec_command(c)
if source_fn is None:
try: os.remove(fname)
except OSError: pass
f = open(source_fn, 'w')

try:
f.write(source)
f.flush()

args = ' -c -m %s %s %s'%(modulename, f.name, extra_args)
c = '%s -c "import numpy.f2py as f2py2e;f2py2e.main()" %s' % \
(sys.executable, args)
s, o = exec_command(c)
finally:
f.close()
return s

from numpy.testing import Tester
Expand Down
4 changes: 2 additions & 2 deletions numpy/f2py/f2py2e.py
Expand Up @@ -91,7 +91,7 @@
--lower is assumed with -h key, and --no-lower without -h key.
--build-dir <dirname> All f2py generated files are created in <dirname>.
Default is tempfile.mktemp().
Default is tempfile.mkdtemp().
--overwrite-signature Overwrite existing signature file.
Expand Down Expand Up @@ -424,7 +424,7 @@ def run_compile():
del sys.argv[i]
else:
remove_build_dir = 1
build_dir = os.path.join(tempfile.mktemp())
build_dir = tempfile.mkdtemp()

_reg1 = re.compile(r'[-][-]link[-]')
sysinfo_flags = [_m for _m in sys.argv[1:] if _reg1.match(_m)]
Expand Down
24 changes: 16 additions & 8 deletions numpy/lib/tests/test_io.py
Expand Up @@ -4,7 +4,9 @@
import gzip
import os
import threading
from tempfile import mkstemp, mktemp, NamedTemporaryFile
import shutil
import contextlib
from tempfile import mkstemp, mkdtemp, NamedTemporaryFile
import time
import warnings
import gc
Expand All @@ -21,6 +23,12 @@
assert_raises, run_module_suite)
from numpy.testing import assert_warns, assert_, build_err_msg

@contextlib.contextmanager
def tempdir(change_dir=False):
tmpdir = mkdtemp()
yield tmpdir
shutil.rmtree(tmpdir)


class TextIO(BytesIO):
"""Helper IO class.
Expand Down Expand Up @@ -177,14 +185,14 @@ def roundtrip(self, *args, **kwargs):
@np.testing.dec.slow
def test_big_arrays(self):
L = (1 << 31) + 100000
tmp = mktemp(suffix='.npz')
a = np.empty(L, dtype=np.uint8)
np.savez(tmp, a=a)
del a
npfile = np.load(tmp)
a = npfile['a']
npfile.close()
os.remove(tmp)
with tempdir() as tmpdir:
tmp = open(os.path.join(tmpdir, "file.npz"), "w")
np.savez(tmp, a=a)
del a
npfile = np.load(tmp)
a = npfile['a']
npfile.close()

def test_multiple_arrays(self):
a = np.array([[1, 2], [3, 4]], float)
Expand Down

0 comments on commit 0bb46c1

Please sign in to comment.