Avoid usage of insecure mktemp() function

This patch eliminates the use of the deprecated and insecure tempfile.mktemp() function. It has been replaced with secure alternatives where temporary files are actually required. Change-Id: I0a13d6d44cd1abc4b66fa33f39eea407617a01d5 SecurityImpact Closes-bug: #1348869
2014-07-25 20:47:11 -07:00 · 2014-07-25 20:47:11 -07:00 · 6978275cdb
parent 6c256c5057
commit 6978275cdb
2 changed files with 11 additions and 12 deletions
--- a/swift/common/middleware/x_profile/html_viewer.py
+++ b/swift/common/middleware/x_profile/html_viewer.py
@ -384,10 +384,7 @@ class HTMLViewer(object):
            elif output_format == 'ods':
                data = stats.to_ods(nfl_esc, limit)
            else:
-                profile_tmp_all = tempfile.mktemp('.profile', 'all')
-                stats.dump_stats(profile_tmp_all)
-                data = open(profile_tmp_all).read()
-                os.remove(profile_tmp_all)
+                data = stats.print_stats()
            return data, [('content-type', self.format_dict[output_format])]
        except ODFLIBNotInstalled as ex:
            raise ex
@ -427,10 +424,11 @@ class HTMLViewer(object):
                plt.xlabel(names[metric_selected])
            plt.title('Profile Statistics (by %s)' % names[metric_selected])
            #plt.gcf().tight_layout(pad=1.2)
-            profile_img = tempfile.mktemp('.png', 'plot')
-            plt.savefig(profile_img, dpi=300)
-            data = open(profile_img).read()
-            os.remove(profile_img)
+            profile_img = tempfile.TemporaryFile()
+            plt.savefig(profile_img, format='png', dpi=300)
+            profile_img.seek(0)
+            data = profile_img.read()
+            os.close(profile_img)
            return data, [('content-type', 'image/jpg')]
        except Exception as ex:
            raise ProfileException(_('plotting results failed due to %s') % ex)
--- a/swift/common/middleware/x_profile/profile_model.py
+++ b/swift/common/middleware/x_profile/profile_model.py
@ -222,10 +222,11 @@ class Stats2(pstats.Stats):
            table.addElement(tr_header)

        spreadsheet.spreadsheet.addElement(table)
-        tmp_ods = tempfile.mktemp('.ods', 'stats')
-        spreadsheet.save(tmp_ods, False)
-        data = open(tmp_ods).read()
-        os.remove(tmp_ods)
+        tmp_ods = tempfile.TemporaryFile()
+        spreadsheet.write(tmp_ods)
+        tmp_ods.seek(0)
+        data = tmp_ods.read()
+        os.close(tmp_ods)
        return data