Skip to content

Commit 9205118

Browse files
mbyrnepr2mbyrnepr2
committed
gh-79459: Sanitize the prefix and suffix parameters to the tempfile functions:
- `tempfile.mkdtemp`. - `tempfile.mkstemp`. - `tempfile.NamedTemporaryFile`.
1 parent d5b2681 commit 9205118

File tree

3 files changed

+39
-2
lines changed

3 files changed

+39
-2
lines changed

Doc/whatsnew/3.15.rst

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1593,6 +1593,13 @@ New deprecations
15931593

15941594
(Contributed by Sergey B Kirpichev and Serhiy Storchaka in :gh:`143715`.)
15951595

1596+
* :mod:`tempfile`:
1597+
1598+
* The ``prefix`` and ``suffix`` parameters of the tempfile functions,
1599+
:func:`tempfile.mkdtemp`, :func:`tempfile.mkstemp` and
1600+
:func:`tempfile.NamedTemporaryFile`, will be sanitized to use only the
1601+
basename of the provided values if they contain a directory separator.
1602+
15961603
* ``__version__``
15971604

15981605
* The ``__version__``, ``version`` and ``VERSION`` attributes have been

Lib/tempfile.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,11 +117,15 @@ def _sanitize_params(prefix, suffix, dir):
117117
output_type = _infer_return_type(prefix, suffix, dir)
118118
if suffix is None:
119119
suffix = output_type()
120+
elif _os.path.dirname(suffix):
121+
suffix = _os.path.basename(suffix)
120122
if prefix is None:
121123
if output_type is str:
122124
prefix = template
123125
else:
124126
prefix = _os.fsencode(template)
127+
elif _os.path.dirname(prefix):
128+
prefix = _os.path.basename(prefix)
125129
if dir is None:
126130
if output_type is str:
127131
dir = gettempdir()

Lib/test/test_tempfile.py

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -644,8 +644,10 @@ def do_create(self, dir=None, pre=None, suf=None):
644644
dir = tempfile.gettempdirb()
645645
if pre is None:
646646
pre = output_type()
647+
pre = os.path.basename(pre)
647648
if suf is None:
648649
suf = output_type()
650+
suf = os.path.basename(suf)
649651
(fd, name) = tempfile.mkstemp(dir=dir, prefix=pre, suffix=suf)
650652
(ndir, nbase) = os.path.split(name)
651653
adir = os.path.abspath(dir)
@@ -666,6 +668,10 @@ def test_basic(self):
666668
self.do_create(pre="a", suf="b")
667669
self.do_create(pre="aa", suf=".txt")
668670
self.do_create(dir=".")
671+
self.do_create(pre=f"{os.sep}myhome")
672+
self.do_create(pre=os.fsencode(f"{os.sep}home"))
673+
self.do_create(suf=f"{os.sep}home")
674+
self.do_create(suf=os.fsencode(f"{os.sep}home"))
669675

670676
def test_basic_with_bytes_names(self):
671677
# mkstemp can create files when given name parts all
@@ -743,6 +749,8 @@ def do_create(self, dir=None, pre=None, suf=None):
743749
pre = output_type()
744750
if suf is None:
745751
suf = output_type()
752+
pre = os.path.basename(pre)
753+
suf = os.path.basename(suf)
746754
name = tempfile.mkdtemp(dir=dir, prefix=pre, suffix=suf)
747755

748756
try:
@@ -759,6 +767,10 @@ def test_basic(self):
759767
os.rmdir(self.do_create(suf="b"))
760768
os.rmdir(self.do_create(pre="a", suf="b"))
761769
os.rmdir(self.do_create(pre="aa", suf=".txt"))
770+
os.rmdir(self.do_create(pre=f"{os.sep}home"))
771+
os.rmdir(self.do_create(pre=os.fsencode(f"{os.sep}home")))
772+
os.rmdir(self.do_create(suf=f"{os.sep}home"))
773+
os.rmdir(self.do_create(suf=os.fsencode(f"{os.sep}home")))
762774

763775
def test_basic_with_bytes_names(self):
764776
# mkdtemp can create directories when given all binary parts
@@ -962,9 +974,19 @@ def test_many(self):
962974
class TestNamedTemporaryFile(BaseTestCase):
963975
"""Test NamedTemporaryFile()."""
964976

965-
def do_create(self, dir=None, pre="", suf="", delete=True):
977+
def do_create(self, dir=None, pre=None, suf=None, delete=True):
978+
output_type = tempfile._infer_return_type(dir, pre, suf)
966979
if dir is None:
967-
dir = tempfile.gettempdir()
980+
if output_type is str:
981+
dir = tempfile.gettempdir()
982+
else:
983+
dir = tempfile.gettempdirb()
984+
if pre is None:
985+
pre = output_type()
986+
if suf is None:
987+
suf = output_type()
988+
pre = os.path.basename(pre)
989+
suf = os.path.basename(suf)
968990
file = tempfile.NamedTemporaryFile(dir=dir, prefix=pre, suffix=suf,
969991
delete=delete)
970992

@@ -979,6 +1001,10 @@ def test_basic(self):
9791001
self.do_create(suf="b")
9801002
self.do_create(pre="a", suf="b")
9811003
self.do_create(pre="aa", suf=".txt")
1004+
self.do_create(pre=f"{os.sep}home")
1005+
self.do_create(pre=os.fsencode(f"{os.sep}home"))
1006+
self.do_create(suf=f"{os.sep}home")
1007+
self.do_create(suf=os.fsencode(f"{os.sep}home"))
9821008

9831009
def test_method_lookup(self):
9841010
# Issue #18879: Looking up a temporary file method should keep it

0 commit comments

Comments
 (0)