[Python-Dev] tempfile problems (original) (raw)

M.-A. Lemburg mal@lemburg.com
Tue, 15 Oct 2002 12:09:55 +0200

Thomas Heller wrote:

bdistwininst currently contains this code:

from tempfile import NamedTemporaryFile arc = NamedTemporaryFile(".zip") archivebasename = arc.name[:-4] fullname = self.distribution.getfullname() arcname = self.makearchive(archivebasename, "zip", rootdir=self.bdistdir) The corresponding checkin message is this: revision 1.35 date: 2002/08/09 16:37:34; author: gvanrossum; state: Exp; lines: +5 -4 Massive changes from SF 589982 (tempfile.py rewrite, by Zack Weinberg). This changes all uses of deprecated tempfile functions to the recommended ones.

The call to NamedTemporaryFile(".zip") crashes with an access violation on Windows. I've submitted a bug # 623464 for this. I assume this is meant instead: from tempfile import NamedTemporaryFile arc = NamedTemporaryFile(suffix = ".zip") archivebasename = arc.name[:-4] fullname = self.distribution.getfullname() arcname = self.makearchive(archivebasename, "zip", rootdir=self.bdistdir) but it doesn't work either: makearchive() fails with 'permission denied' because the file is already open. This would work: from tempfile import NamedTemporaryFile arc = NamedTemporaryFile(suffix = ".zip") archivebasename = arc.name[:-4] arc.close() fullname = self.distribution.getfullname() arcname = self.makearchive(archivebasename, "zip", rootdir=self.bdistdir) but I'm not sure if it defeats the purpose of the change (secure tempfiles). Since distutils should still be compatible with older Python versions, and those do not contain NamedTemporaryFile, I suggest to back out this change.

+1

A temporary ZIP file doesn't introduce much of a security risk anyway, even less when it's being created by a package developer.

-- Marc-Andre Lemburg CEO eGenix.com Software GmbH

eGenix.com -- Makers of the Python mx Extensions: mxDateTime,mxODBC,... Python Consulting: http://www.egenix.com/ Python Software: http://www.egenix.com/files/python/