106
107 fn = ",".join(stations)
108 res = open("/tmp/ss.xlsx", "rb").read()
109 os.unlink("/tmp/ss.xlsx")110 return res, fn
111
112
105 worksheet.freeze_panes(3, 0)
106
107 fn = ",".join(stations)
108 res = open("/tmp/ss.xlsx", "rb").read()109 os.unlink("/tmp/ss.xlsx")
110 return res, fn
111
99 # re-establish the correct column sorting
100 df = df.reindex(cols, axis=1)
101
102 with pd.ExcelWriter("/tmp/ss.xlsx", engine="xlsxwriter") as writer:103 df.to_excel(writer, sheet_name="Daily Weather", index=False)
104 worksheet = writer.sheets["Daily Weather"]
105 worksheet.freeze_panes(3, 0)
477 msg.preamble = "Data"
478 try:
479 shutil.copyfile(f"/tmp/{tmpfn}", f"/var/webtmp/{tmpfn}")
480 os.unlink(f"/tmp/{tmpfn}")481 except PermissionError:
482 pass
483 uri = f"https://datateam.agron.iastate.edu/tmp/{tmpfn}"
476 msg["To"] = email
477 msg.preamble = "Data"
478 try:
479 shutil.copyfile(f"/tmp/{tmpfn}", f"/var/webtmp/{tmpfn}")480 os.unlink(f"/tmp/{tmpfn}")
481 except PermissionError:
482 pass
Using hardcoded temp directory is unsafe. The program can be tricked into performing file actions against the wrong file or using a malicious file instead of the expected temporary file. Prefer using tempfile
Malicious users can predict the file name and write to the directory containing the temporary file. They effectively hijack the temporary file by creating a symlink with the name of the temporary file before the program creates the file itself. This allows a malicious user to supply malicious data or cause actions by the program to affect the attacker chosen files.
tempfile.TemporaryFile
function should be used to safely create temporary files. Besides creating temporary files safely, it creates random filenames, which can not be predicted, and cleans up the file automatically.
with open('/tmp/abc', 'w') as f: # Insecure, Hard coded temporary directory used
f.write('stuff')
import tempfile
# Secure, temporary file is created using tempfile.TemporaryFile
# File will be deleted on close
with tempfile.TemporaryFile() as tmp:
tmp.write('stuff')