From 6978275cdb04bb08aaf142d401b52a46527dac4c Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Fri, 25 Jul 2014 20:47:11 -0700
Subject: [PATCH] Avoid usage of insecure mktemp() function

This patch eliminates the use of the deprecated and insecure
tempfile.mktemp() function.  It has been replaced with secure
alternatives where temporary files are actually required.

Change-Id: I0a13d6d44cd1abc4b66fa33f39eea407617a01d5
SecurityImpact
Closes-bug: #1348869
---
 swift/common/middleware/x_profile/html_viewer.py   | 14 ++++++--------
 swift/common/middleware/x_profile/profile_model.py |  9 +++++----
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/swift/common/middleware/x_profile/html_viewer.py b/swift/common/middleware/x_profile/html_viewer.py
index b202e378ac..416ba01165 100644
--- a/swift/common/middleware/x_profile/html_viewer.py
+++ b/swift/common/middleware/x_profile/html_viewer.py
@@ -384,10 +384,7 @@ class HTMLViewer(object):
             elif output_format == 'ods':
                 data = stats.to_ods(nfl_esc, limit)
             else:
-                profile_tmp_all = tempfile.mktemp('.profile', 'all')
-                stats.dump_stats(profile_tmp_all)
-                data = open(profile_tmp_all).read()
-                os.remove(profile_tmp_all)
+                data = stats.print_stats()
             return data, [('content-type', self.format_dict[output_format])]
         except ODFLIBNotInstalled as ex:
             raise ex
@@ -427,10 +424,11 @@ class HTMLViewer(object):
                 plt.xlabel(names[metric_selected])
             plt.title('Profile Statistics (by %s)' % names[metric_selected])
             #plt.gcf().tight_layout(pad=1.2)
-            profile_img = tempfile.mktemp('.png', 'plot')
-            plt.savefig(profile_img, dpi=300)
-            data = open(profile_img).read()
-            os.remove(profile_img)
+            profile_img = tempfile.TemporaryFile()
+            plt.savefig(profile_img, format='png', dpi=300)
+            profile_img.seek(0)
+            data = profile_img.read()
+            os.close(profile_img)
             return data, [('content-type', 'image/jpg')]
         except Exception as ex:
             raise ProfileException(_('plotting results failed due to %s') % ex)
diff --git a/swift/common/middleware/x_profile/profile_model.py b/swift/common/middleware/x_profile/profile_model.py
index b164012f5b..dc5ba8e990 100644
--- a/swift/common/middleware/x_profile/profile_model.py
+++ b/swift/common/middleware/x_profile/profile_model.py
@@ -222,10 +222,11 @@ class Stats2(pstats.Stats):
             table.addElement(tr_header)
 
         spreadsheet.spreadsheet.addElement(table)
-        tmp_ods = tempfile.mktemp('.ods', 'stats')
-        spreadsheet.save(tmp_ods, False)
-        data = open(tmp_ods).read()
-        os.remove(tmp_ods)
+        tmp_ods = tempfile.TemporaryFile()
+        spreadsheet.write(tmp_ods)
+        tmp_ods.seek(0)
+        data = tmp_ods.read()
+        os.close(tmp_ods)
         return data