Closed Bug 1064703 Opened 11 years ago Closed 11 years ago

mozdevice unsafe use of /tmp

Categories

(Testing :: Mozbase, defect)

Product:
Testing
Component:
Mozbase
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: kseifried, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 Steps to reproduce: Quick code audit of mozdevice from https://pypi.python.org/pypi/mozdevice mozdevice-0.40/mozdevice/adb_android.py class ADBAndroid(ADBDevice, ADBAndroidMixin): """ADBAndroid provides all of the methods of :class:`mozdevice.ADB` with Android specific extensions useful for that platform. :: from mozdevice import ADBAndroid as ADBDevice adb = ADBDevice(...) if adb.is_device_ready(): adb.install_app("/tmp/build.apk") adb.launch_fennec("org.mozilla.fennec") """ pass Actual results: It appears to use /tmp very unsafely Expected results: It should use a secure directory within /tmp, or not use /tmp at all
Kurt, Thanks for the report. The use of /tmp/ in this case is in the docstring for the class and is just an example use of the class. As such, it is not a bug nor a security issue. I just used it as a quick example. Normally we use Python's tempfile for creating temporary files and directories. I suppose we should not use such bad patterns in our docstrings.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.