Feat: Replaced outdated and insecure mktemp with NamedTemporaryFile

phdru · Mar 31, 2019 · 5c6d3a9 · 5c6d3a9
1 parent ec9ca52
commit 5c6d3a9
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 7 deletions.
diff --git a/ANNOUNCE b/ANNOUNCE
@@ -30,6 +30,10 @@ everything else. This is how it could be done:
    mimedecode -t application/pdf -t application/postscript -t text/plain -b text/html -B 'image/*' -i '*/*'
 
 
+Version 3.0.1 (2019-??-??)
+
+   Replaced outdated and insecure `mktemp` with `NamedTemporaryFile`.
+
 Version 3.0.0 (2019-02-01)
 
    Python 3.7.

diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+Version 3.0.1 (2019-??-??)
+
+   Replaced outdated and insecure `mktemp` with `NamedTemporaryFile`.
+
 Version 3.0.0 (2019-02-01)
 
    Python 3.7.

diff --git a/mimedecode/mimedecode.py b/mimedecode/mimedecode.py
@@ -227,29 +227,28 @@ def decode_body(msg, s):
         charset = msg.get_content_charset()
     else:
         charset = None
-    filename = tempfile.mktemp()
+    tmpfile = tempfile.NamedTemporaryFile()
     command = None
 
     entries = mailcap.lookup(caps, content_type, "view")
     for entry in entries:
         if 'copiousoutput' in entry:
             if 'test' in entry:
-                test = mailcap.subst(entry['test'], content_type, filename)
+                test = mailcap.subst(entry['test'], content_type, tmpfile.name)
                 if test and os.system(test) != 0:
                     continue
-            command = mailcap.subst(entry["view"], content_type, filename)
+            command = mailcap.subst(entry["view"], content_type, tmpfile.name)
             break
 
     if not command:
         return s
 
-    outfile = open(filename, 'wb')
     if charset and bytes is not str and isinstance(s, bytes):  # Python3
         s = s.decode(charset, "replace")
     if not isinstance(s, bytes):
         s = s.encode(g.default_encoding, "replace")
-    outfile.write(s)
-    outfile.close()
+    tmpfile.write(s)
+    tmpfile.flush()
 
     pipe = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE)
     new_s = pipe.stdout.read()
@@ -268,7 +267,7 @@ def decode_body(msg, s):
         msg["X-MIME-Autoconverted"] = \
             "failed conversion from %s to text/plain by %s id %s" \
             % (content_type, g.host_name, command.split()[0])
-    os.remove(filename)
+    tmpfile.close()  # Will be removed on close
 
     return s