shellutils: fix tempfile issue in Execute, and deprecate it

Addresses CVE-2014-1839. Closes #207562

authorJulien Cristau <julien.cristau@logilab.fr>
changeset2c4fd6f35674
branchdefault
phasepublic
hiddenno
parent revision#9c28b5b35b38 Remove pdf_ext module (closes #207561)
child revision#56b1d20168f8 prepare 0.61.0
files modified by this revision
ChangeLog
shellutils.py
# HG changeset patch
# User Julien Cristau <julien.cristau@logilab.fr>
# Date 1391422336 -3600
# Mon Feb 03 11:12:16 2014 +0100
# Node ID 2c4fd6f35674c52c577c27240e9d40da5ff0c274
# Parent 9c28b5b35b38094353ff6c38be0701f9399b18cb
shellutils: fix tempfile issue in Execute, and deprecate it

Addresses CVE-2014-1839.
Closes #207562

diff --git a/ChangeLog b/ChangeLog
@@ -2,10 +2,13 @@
1  ============================
2 
3  --
4     * pdf_ext: removed, it had no known users (CVE-2014-1838)
5 
6 +   * shellutils: fix tempfile issue in Execute, and deprecate it
7 +     (CVE-2014-1839)
8 +
9     * pytest: use 'env' to run the python interpreter
10 
11     * graph: ensure output is ordered on node and graph ids (#202314)
12 
13 
diff --git a/shellutils.py b/shellutils.py
@@ -29,15 +29,17 @@
14  import time
15  import fnmatch
16  import errno
17  import string
18  import random
19 +import subprocess
20  from os.path import exists, isdir, islink, basename, join
21 
22  from logilab.common import STD_BLACKLIST, _handle_blacklist
23  from logilab.common.compat import raw_input
24  from logilab.common.compat import str_to_bytes
25 +from logilab.common.deprecation import deprecated
26 
27  try:
28      from logilab.common.proc import ProcInfo, NoSuchProcess
29  except ImportError:
30      # windows platform
@@ -222,24 +224,21 @@
31          else:
32              outfile = open(join(destdir, name), 'wb')
33              outfile.write(zfobj.read(name))
34              outfile.close()
35 
36 +@deprecated('Use subprocess.Popen instead')
37  class Execute:
38      """This is a deadlock safe version of popen2 (no stdin), that returns
39      an object with errorlevel, out and err.
40      """
41 
42      def __init__(self, command):
43 -        outfile = tempfile.mktemp()
44 -        errfile = tempfile.mktemp()
45 -        self.status = os.system("( %s ) >%s 2>%s" %
46 -                                (command, outfile, errfile)) >> 8
47 -        self.out = open(outfile, "r").read()
48 -        self.err = open(errfile, "r").read()
49 -        os.remove(outfile)
50 -        os.remove(errfile)
51 +        cmd = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
52 +        self.out, self.err = cmd.communicate()
53 +        self.status = os.WEXITSTATUS(cmd.returncode)
54 +
55 
56  def acquire_lock(lock_file, max_try=10, delay=10, max_delay=3600):
57      """Acquire a lock represented by a file on the file system
58 
59      If the process written in lock file doesn't exist anymore, we remove the