Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bu…

…g #737059
python-pillow · Mar 14, 2014 · 4e9f367 · 4e9f367
1 parent b1b88cf
commit 4e9f367
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 10 deletions.
diff --git a/PIL/EpsImagePlugin.py b/PIL/EpsImagePlugin.py
@@ -67,7 +67,8 @@ def Ghostscript(tile, size, fp, scale=1):
 
     import tempfile, os, subprocess
 
-    file = tempfile.mktemp()
+    out_fd, file = tempfile.mkstemp()
+    os.close(out_fd)
 
     # Build ghostscript command
     command = ["gs",

diff --git a/PIL/Image.py b/PIL/Image.py
@@ -495,14 +495,17 @@ def _copy(self):
         self.readonly = 0
 
     def _dump(self, file=None, format=None):
-        import tempfile
+        import tempfile, os
         if not file:
-            file = tempfile.mktemp()
+            f, file = tempfile.mkstemp(format or '')
+            os.close(f)
+
         self.load()
         if not format or format == "PPM":
             self.im.save_ppm(file)
         else:
-            file = file + "." + format
+            if file.endswith(format):
+                file = file + "." + format
             self.save(file, format)
         return file
 

diff --git a/PIL/IptcImagePlugin.py b/PIL/IptcImagePlugin.py
@@ -172,8 +172,8 @@ def load(self):
         self.fp.seek(offset)
 
         # Copy image data to temporary file
-        outfile = tempfile.mktemp()
-        o = open(outfile, "wb")
+        o_fd, outfile = tempfile.mkstemp(text=False)
+        o = os.fdopen(o_fd)
         if encoding == "raw":
             # To simplify access to the extracted file,
             # prepend a PPM header

diff --git a/PIL/JpegImagePlugin.py b/PIL/JpegImagePlugin.py
@@ -344,13 +344,17 @@ def load_djpeg(self):
         # ALTERNATIVE: handle JPEGs via the IJG command line utilities
 
         import tempfile, os
-        file = tempfile.mktemp()
-        os.system("djpeg %s >%s" % (self.filename, file))
+        f, path = tempfile.mkstemp()
+        os.close(f)
+        if os.path.exists(self.filename):
+            os.system("djpeg '%s' >'%s'" % (self.filename, path))
+        else:
+            raise ValueError("Invalid Filename")
 
         try:
-            self.im = Image.core.open_ppm(file)
+            self.im = Image.core.open_ppm(path)
         finally:
-            try: os.unlink(file)
+            try: os.unlink(path)
             except: pass
 
         self.mode = self.im.mode