oss-sec mailing list archives
luigi tmp vuln
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 09 Sep 2014 00:57:12 -0600
https://pypi.python.org/pypi/luigi luigi-1.0.17/luigi/hdfs.py We have a creative attempt to implement mkstemp: def tmppath(path=None): """ @param path: target path for which it is needed to generate temporary location @type path: str @rtype: str """ addon = "luigitemp-%08d" % random.randrange(1e9) temp_dir = tempfile.gettempdir() #1. Figure out to which temporary directory to place configured_hdfs_tmp_dir = configuration.get_config().get('core', 'hdfs-tmp-dir', None) if configured_hdfs_tmp_dir is not None: #config is superior base_dir = configured_hdfs_tmp_dir elif path is not None: #need to copy correct schema and network location parsed = urlparse.urlparse(path) base_dir = urlparse.urlunparse((parsed.scheme, parsed.netloc, temp_dir, '', '', '')) else: #just system temporary directory base_dir = temp_dir #2. Figure out what to place if path is not None: if path.startswith(temp_dir + '/'): #Not 100%, but some protection from directories like /tmp/tmp/file subdir = path[len(temp_dir):] else: #Protection from /tmp/hdfs:/dir/file parsed = urlparse.urlparse(path) subdir = parsed.path subdir = subdir.lstrip('/') + '-' else: #just return any random temporary location subdir = '' return os.path.join(base_dir, subdir + addon) And then it gets used: class HdfsAtomicWriteDirPipe(luigi.format.OutputPipeProcessWrapper): """ Writes a data<data_extension> file to a directory at <path> """ def __init__(self, path, data_extension=""): self.path = path self.tmppath = tmppath(self.path) self.datapath = self.tmppath + ("/data%s" % data_extension) super(HdfsAtomicWriteDirPipe, self).__init__([load_hadoop_cmd(), 'fs', '-put', '-', self.datapath]) =================================== luigi-1.0.17/luigi/interface.py Also we have a PID file: lock_pid_dir = parameter.Parameter( is_global=True, default='/var/tmp/luigi', description='Directory to store the pid file') -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- luigi tmp vuln Kurt Seifried (Sep 08)