From 5c6d3a9d9921a674883d65896bae4caadc89b789 Mon Sep 17 00:00:00 2001 From: Oleg Broytman Date: Mon, 1 Apr 2019 00:25:00 +0300 Subject: [PATCH] Feat: Replaced outdated and insecure `mktemp` with `NamedTemporaryFile` --- ANNOUNCE | 4 ++++ ChangeLog | 4 ++++ mimedecode/mimedecode.py | 13 ++++++------- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index a2be0e5..5d7a2a0 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -30,6 +30,10 @@ everything else. This is how it could be done: mimedecode -t application/pdf -t application/postscript -t text/plain -b text/html -B 'image/*' -i '*/*' +Version 3.0.1 (2019-??-??) + + Replaced outdated and insecure `mktemp` with `NamedTemporaryFile`. + Version 3.0.0 (2019-02-01) Python 3.7. diff --git a/ChangeLog b/ChangeLog index 22e7469..f2aae0e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +Version 3.0.1 (2019-??-??) + + Replaced outdated and insecure `mktemp` with `NamedTemporaryFile`. + Version 3.0.0 (2019-02-01) Python 3.7. diff --git a/mimedecode/mimedecode.py b/mimedecode/mimedecode.py index 4ca2f25..ead1ab3 100644 --- a/mimedecode/mimedecode.py +++ b/mimedecode/mimedecode.py @@ -227,29 +227,28 @@ def decode_body(msg, s): charset = msg.get_content_charset() else: charset = None - filename = tempfile.mktemp() + tmpfile = tempfile.NamedTemporaryFile() command = None entries = mailcap.lookup(caps, content_type, "view") for entry in entries: if 'copiousoutput' in entry: if 'test' in entry: - test = mailcap.subst(entry['test'], content_type, filename) + test = mailcap.subst(entry['test'], content_type, tmpfile.name) if test and os.system(test) != 0: continue - command = mailcap.subst(entry["view"], content_type, filename) + command = mailcap.subst(entry["view"], content_type, tmpfile.name) break if not command: return s - outfile = open(filename, 'wb') if charset and bytes is not str and isinstance(s, bytes): # Python3 s = s.decode(charset, "replace") if not isinstance(s, bytes): s = s.encode(g.default_encoding, "replace") - outfile.write(s) - outfile.close() + tmpfile.write(s) + tmpfile.flush() pipe = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE) new_s = pipe.stdout.read() @@ -268,7 +267,7 @@ def decode_body(msg, s): msg["X-MIME-Autoconverted"] = \ "failed conversion from %s to text/plain by %s id %s" \ % (content_type, g.host_name, command.split()[0]) - os.remove(filename) + tmpfile.close() # Will be removed on close return s -- 2.39.5