diff options
| author | Julien Cristau <julien.cristau@logilab.fr> | 2014-02-03 11:12:16 +0100 |
|---|---|---|
| committer | Julien Cristau <julien.cristau@logilab.fr> | 2014-02-03 11:12:16 +0100 |
| commit | d836c08ddbd2e4bd87e69101b6042b49f5d358ff (patch) | |
| tree | 7668026c8baf7dd7074095247b82bb6e99997823 | |
| parent | 0dbd6a20b1abeffa0e30a302657332f7f706c269 (diff) | |
| download | logilab-common-d836c08ddbd2e4bd87e69101b6042b49f5d358ff.tar.gz | |
shellutils: fix tempfile issue in Execute, and deprecate it
Addresses CVE-2014-1839.
Closes #207562
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | shellutils.py | 15 |
2 files changed, 10 insertions, 8 deletions
@@ -4,6 +4,9 @@ ChangeLog for logilab.common -- * pdf_ext: removed, it had no known users (CVE-2014-1838) + * shellutils: fix tempfile issue in Execute, and deprecate it + (CVE-2014-1839) + * pytest: use 'env' to run the python interpreter * graph: ensure output is ordered on node and graph ids (#202314) diff --git a/shellutils.py b/shellutils.py index 60ef602..28c2b42 100644 --- a/shellutils.py +++ b/shellutils.py @@ -31,11 +31,13 @@ import fnmatch import errno import string import random +import subprocess from os.path import exists, isdir, islink, basename, join from logilab.common import STD_BLACKLIST, _handle_blacklist from logilab.common.compat import raw_input from logilab.common.compat import str_to_bytes +from logilab.common.deprecation import deprecated try: from logilab.common.proc import ProcInfo, NoSuchProcess @@ -224,20 +226,17 @@ def unzip(archive, destdir): outfile.write(zfobj.read(name)) outfile.close() +@deprecated('Use subprocess.Popen instead') class Execute: """This is a deadlock safe version of popen2 (no stdin), that returns an object with errorlevel, out and err. """ def __init__(self, command): - outfile = tempfile.mktemp() - errfile = tempfile.mktemp() - self.status = os.system("( %s ) >%s 2>%s" % - (command, outfile, errfile)) >> 8 - self.out = open(outfile, "r").read() - self.err = open(errfile, "r").read() - os.remove(outfile) - os.remove(errfile) + cmd = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + self.out, self.err = cmd.communicate() + self.status = os.WEXITSTATUS(cmd.returncode) + def acquire_lock(lock_file, max_try=10, delay=10, max_delay=3600): """Acquire a lock represented by a file on the file system |