Remove insecure tempfile.mktemp #2677

ChillerDragon · 2020-07-30T10:22:11Z

Found by lgtm.com mentioned by @jxsl13 :)

tempfile.mktemp is deprecated since Python 2.3 and considered weak https://cwe.mitre.org/data/definitions/377.html

change is untested

Sadly I could not get all dependencies building (planetbeing/libdmg-hfsplus#14) and thus could not test this branch of code. If one has the binaries for hfsplus please test this.

As far as I understood this script should be run like this:

bam
python3 scripts/dmg.py create build/x86_64/debug test . --hdiutil <dmg path> <hfsplus path> <newfs_hfs path>

heinrich5991 · 2020-07-30T12:37:54Z

scripts/dmg.py

@@ -54,7 +54,7 @@ def _finish(self, hfs, dmg):
 	def create(self, dmg, volume_name, directory, symlinks):
 		input_size = sum(os.stat(os.path.join(path, f)).st_size for path, dirs, files in os.walk(directory) for f in files)
 		output_size = max(input_size * 2, 1024**2)
-		hfs = tempfile.mktemp(prefix=dmg + '.', suffix='.hfs')
+		hfs = NamedTemporaryFile(prefix=dmg + '.', suffix='.hfs', delete=False)


That seems to have other semantics, mktemp does not create a file, NamedTemporaryFile does. This absolutely needs to be tested before merging.

This could perhaps be solved by doing the whole thing in a temporary directory.

Remove insecure tempfile.mktemp

a8e80a9

heinrich5991 requested changes Jul 30, 2020

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove insecure tempfile.mktemp #2677

Remove insecure tempfile.mktemp #2677

ChillerDragon commented Jul 30, 2020 •

edited

heinrich5991 Jul 30, 2020

Remove insecure tempfile.mktemp #2677

Are you sure you want to change the base?

Remove insecure tempfile.mktemp #2677

Conversation

ChillerDragon commented Jul 30, 2020 • edited

heinrich5991 Jul 30, 2020

Choose a reason for hiding this comment

ChillerDragon commented Jul 30, 2020 •

edited