oss-sec mailing list archives

pinocchio tmp vuln

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 09 Sep 2014 00:21:13 -0600

https://pypi.python.org/pypi/pinocchio/

pinocchio       stopwatch       --with-stopwatch        Select tests based on execution time

pinocchio-0.4.1/pinocchio/stopwatch.py

    def finalize(self, result):
        """
        Save the recorded times, OR dump them into /tmp if the file
        open fails.
        """
        try:
            fp = open(self.stopwatch_file, 'w')
        except (IOError, OSError):
            t = int(time.time())
            filename = '/tmp/nose-stopwatch-%s.pickle' % (t,)

int(time.time) is easily guessed, create a few thousand and you're
covered for the next few hours and can stop anyone from using stopwatch,
or you can just blow away files as usual =).

            fp = open(filename, 'w')
            log.warning('WARNING: stopwatch cannot write to "%s"' %
(self.stopwatch_file))
            log.warning('WARNING: stopwatch is using "%s" to save times'
% (filename,))

        dump(self.times, fp)
        fp.close()




-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

pinocchio tmp vuln Kurt Seifried (Sep 08)
- Re: pinocchio tmp vuln David Jorm (Sep 08)
  - Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
    - Re: pinocchio tmp vuln Steve Kemp (Sep 09)
    - Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
    - Re: pinocchio tmp vuln Henri Salo (Sep 09)
    - Re: pinocchio tmp vuln Kurt Seifried (Sep 09)
    - Re: pinocchio tmp vuln Donald Stufft (Sep 11)
    - Re: pinocchio tmp vuln John Haxby (Sep 09)
    - Re: pinocchio tmp vuln Mikko Korpela (Sep 09)
    - Re: pinocchio tmp vuln John Haxby (Sep 11)

(Thread continues...)