[Python-Dev] tempfile problems

M.-A. Lemburg mal@lemburg.com
Tue, 15 Oct 2002 12:09:55 +0200 

Thomas Heller wrote:
> bdist_wininst currently contains this code:
> 
>     from tempfile import NamedTemporaryFile
>     arc = NamedTemporaryFile(".zip")
>     archive_basename = arc.name[:-4]
>     fullname = self.distribution.get_fullname()
>     arcname = self.make_archive(archive_basename, "zip",
>                                 root_dir=self.bdist_dir)
> 
> The corresponding checkin message is this:
> 
> revision 1.35
> date: 2002/08/09 16:37:34;  author: gvanrossum;  state: Exp;  lines: +5 -4
> Massive changes from SF 589982 (tempfile.py rewrite, by Zack
> Weinberg).  This changes all uses of deprecated tempfile functions to
> the recommended ones.
> 
> 
> The call to NamedTemporaryFile(".zip") crashes with an access
> violation on Windows. I've submitted a bug # 623464 for this.
> I assume this is meant instead:
> 
>     from tempfile import NamedTemporaryFile
>     arc = NamedTemporaryFile(suffix = ".zip")
>     archive_basename = arc.name[:-4]
>     fullname = self.distribution.get_fullname()
>     arcname = self.make_archive(archive_basename, "zip",
>                                 root_dir=self.bdist_dir)
> 
> but it doesn't work either: make_archive() fails with
> 'permission denied' because the file is already open.
> This would work:
> 
>     from tempfile import NamedTemporaryFile
>     arc = NamedTemporaryFile(suffix = ".zip")
>     archive_basename = arc.name[:-4]
>     arc.close()
>     fullname = self.distribution.get_fullname()
>     arcname = self.make_archive(archive_basename, "zip",
>                                 root_dir=self.bdist_dir)
> 
> but I'm not sure if it defeats the purpose of the change
> (secure tempfiles).
> 
> Since distutils should still be compatible with older
> Python versions, and those do not contain NamedTemporaryFile,
> I suggest to back out this change.

+1

A temporary ZIP file doesn't introduce much of a security
risk anyway, even less when it's being created by a package
developer.

-- 
Marc-Andre Lemburg
CEO eGenix.com Software GmbH
_______________________________________________________________________
eGenix.com -- Makers of the Python mx Extensions: mxDateTime,mxODBC,...
Python Consulting:                               http://www.egenix.com/
Python Software:                    http://www.egenix.com/files/python/