logilab-common #207562 CVE-2014-1839: temp file issue in shellutils.Execute [validation pending]

class Execute:
"""This is a deadlock safe version of popen2 (no stdin), that returns
an object with errorlevel, out and err.
"""

def __init__(self, command):
outfile = tempfile.mktemp()
errfile = tempfile.mktemp()
self.status = os.system("( %s ) >%s 2>%s" %
(command, outfile, errfile)) >> 8
self.out = open(outfile, "r").read()
self.err = open(errfile, "r").read()
os.remove(outfile)
os.remove(errfile)

From the tempfile.mktemp() docstring: “This function is unsafe and
should not be used. The file name refers to a file that did not exist at
some point, but by the time you get around to creating it, someone else
may have beaten you to the punch.”

priorityimportant
typebug
appeared in<not specified>
done in0.61.0
load0.500
load left0.000
debian bug number737051
closed by#1653:2c4fd6f35674
patchshellutils: fix tempfile issue in Execute, and deprecate it [applied]