python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-26 17:24:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

Removed tempfile.mktemp, fixes CVE-2014-1932 CVE-2014-1933, debian bug #737059

Browse Source
This commit is contained in:
wiredfool 2014-03-14 15:56:41 -07:00
parent 1a03ca9224
commit 1e331e3e6a
4 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
PIL/EpsImagePlugin.py
View File

@ -67,8 +67,10 @@ def Ghostscript(tile, size, fp, scale=1):
import tempfile, os, subprocess import tempfile, os, subprocess
outfile = tempfile.mktemp() out_fd, outfile = tempfile.mkstemp()
infile = tempfile.mktemp() os.close(out_fd)
in_fd, infile = tempfile.mkstemp()
os.close(in_fd)
with open(infile, 'wb') as f: with open(infile, 'wb') as f:
fp.seek(offset) fp.seek(offset)

9
PIL/Image.py
View File

@ -504,14 +504,17 @@ class Image:
self.readonly = 0 self.readonly = 0
def _dump(self, file=None, format=None): def _dump(self, file=None, format=None):
import tempfile import tempfile, os
if not file: if not file:
file = tempfile.mktemp() f, file = tempfile.mkstemp(format or '')
os.close(f)
self.load() self.load()
if not format or format == "PPM": if not format or format == "PPM":
self.im.save_ppm(file) self.im.save_ppm(file)
else: else:
file = file + "." + format if file.endswith(format):
file = file + "." + format
self.save(file, format) self.save(file, format)
return file return file

4
PIL/IptcImagePlugin.py
View File

@ -172,8 +172,8 @@ class IptcImageFile(ImageFile.ImageFile):
self.fp.seek(offset) self.fp.seek(offset)
# Copy image data to temporary file # Copy image data to temporary file
outfile = tempfile.mktemp() o_fd, outfile = tempfile.mkstemp(text=False)
o = open(outfile, "wb") o = os.fdopen(o_fd)
if encoding == "raw": if encoding == "raw":
# To simplify access to the extracted file, # To simplify access to the extracted file,
# prepend a PPM header # prepend a PPM header

12
PIL/JpegImagePlugin.py
View File

@ -344,13 +344,17 @@ class JpegImageFile(ImageFile.ImageFile):
# ALTERNATIVE: handle JPEGs via the IJG command line utilities # ALTERNATIVE: handle JPEGs via the IJG command line utilities
import tempfile, os import tempfile, os
file = tempfile.mktemp() f, path = tempfile.mkstemp()
os.system("djpeg %s >%s" % (self.filename, file)) os.close(f)
if os.path.exists(self.filename):
os.system("djpeg '%s' >'%s'" % (self.filename, path))
else:
raise ValueError("Invalid Filename")
try: try:
self.im = Image.core.open_ppm(file) self.im = Image.core.open_ppm(path)
finally: finally:
try: os.unlink(file) try: os.unlink(path)
except: pass except: pass
self.mode = self.im.mode self.mode = self.im.mode