From 5ce8451d2893e3ce64d40e1835b6b2b2ad437f3c 2014-02-20 22:28:41 From: Julian Taylor Date: 2014-02-20 22:28:41 Subject: [PATCH] remove mktemp usage mktemp is insecure, by the time the generated filename is used someone else might have modified it. --- diff --git a/IPython/core/page.py b/IPython/core/page.py index e0aebd2..23fedb5 100644 --- a/IPython/core/page.py +++ b/IPython/core/page.py @@ -208,16 +208,19 @@ def page(strng, start=0, screen_lines=0, pager_cmd=None): # The default WinXP 'type' command is failing on complex strings. retval = 1 else: - tmpname = tempfile.mktemp('.txt') - tmpfile = open(tmpname,'wt') - tmpfile.write(strng) - tmpfile.close() - cmd = "%s < %s" % (pager_cmd,tmpname) - if os.system(cmd): - retval = 1 - else: - retval = None - os.remove(tmpname) + fd, tmpname = tempfile.mkstemp('.txt') + try: + os.close(fd) + with open(tmpname, 'wt') as tmpfile: + tmpfile.write(strng) + cmd = "%s < %s" % (pager_cmd, tmpname) + # tmpfile needs to be closed for windows + if os.system(cmd): + retval = 1 + else: + retval = None + finally: + os.remove(tmpname) else: try: retval = None diff --git a/IPython/kernel/connect.py b/IPython/kernel/connect.py index 894ca1d..f889ab9 100644 --- a/IPython/kernel/connect.py +++ b/IPython/kernel/connect.py @@ -95,7 +95,8 @@ def write_connection_file(fname=None, shell_port=0, iopub_port=0, stdin_port=0, ip = localhost() # default to temporary connector file if not fname: - fname = tempfile.mktemp('.json') + fd, fname = tempfile.mkstemp('.json') + os.close(fd) # Find open ports as necessary. diff --git a/IPython/parallel/tests/test_client.py b/IPython/parallel/tests/test_client.py index c8ebef6..fd70b6d 100644 --- a/IPython/parallel/tests/test_client.py +++ b/IPython/parallel/tests/test_client.py @@ -20,7 +20,6 @@ from __future__ import division import time from datetime import datetime -from tempfile import mktemp import zmq diff --git a/IPython/parallel/tests/test_view.py b/IPython/parallel/tests/test_view.py index e1ff878..cfefb7e 100644 --- a/IPython/parallel/tests/test_view.py +++ b/IPython/parallel/tests/test_view.py @@ -21,7 +21,7 @@ import sys import platform import time from collections import namedtuple -from tempfile import mktemp +from tempfile import NamedTemporaryFile import zmq from nose.plugins.attrib import attr @@ -164,13 +164,12 @@ class TestView(ClusterTestCase): def test_run_newline(self): """test that run appends newline to files""" - tmpfile = mktemp() - with open(tmpfile, 'w') as f: + with NamedTemporaryFile('w', delete=False) as f: f.write("""def g(): return 5 """) v = self.client[-1] - v.run(tmpfile, block=True) + v.run(f.name, block=True) self.assertEqual(v.apply_sync(lambda f: f(), pmod.Reference('g')), 5) def test_apply_tracked(self): diff --git a/IPython/testing/tools.py b/IPython/testing/tools.py index daaf20f..c9772de 100644 --- a/IPython/testing/tools.py +++ b/IPython/testing/tools.py @@ -152,7 +152,9 @@ def default_config(): config.TerminalInteractiveShell.colors = 'NoColor' config.TerminalTerminalInteractiveShell.term_title = False, config.TerminalInteractiveShell.autocall = 0 - config.HistoryManager.hist_file = tempfile.mktemp(u'test_hist.sqlite') + f = tempfile.NamedTemporaryFile(suffix=u'test_hist.sqlite', delete=False) + config.HistoryManager.hist_file = f.name + f.close() config.HistoryManager.db_cache_size = 10000 return config