xpi-repack: Use the tempfile module to create a secure temporary directory.

Thanks: Jakub Wilk <jwilk@debian.org>
Closes: #740759

1 files changed, 6 insertions, 5 deletions

diff --git a/xpi-repack b/xpi-repack
index 2f7fea5..f18580f 100755
--- a/xpi-repack
+++ b/xpi-repack
@@ -18,6 +18,7 @@ import argparse
 import os
 import subprocess
 import sys
+import tempfile
 
 # error codes
 COMMAND_LINE_SYNTAX_ERROR = 1
@@ -35,12 +36,11 @@ def remove_recursive(path):
         os.rmdir(path)
 
 
-def repack_xpi(package, upstream_version, xpi_file, verbose):
+def repack_xpi(script_name, package, upstream_version, xpi_file, verbose):
     # extract xpi file
-    tmp_dir = "/tmp"
+    tmp_dir = tempfile.mkdtemp(prefix=script_name+".")
     extract_dir = package + "-" + upstream_version
     full_extract_dir = os.path.join(tmp_dir, extract_dir)
-    remove_recursive(full_extract_dir)
     subprocess.check_call(["xpi-unpack", xpi_file, full_extract_dir])
 
     # check, if source 3.0 (quilt) format is used
@@ -61,7 +61,7 @@ def repack_xpi(package, upstream_version, xpi_file, verbose):
     subprocess.check_call(cmd)
 
     # remove temporary directory
-    remove_recursive(full_extract_dir)
+    remove_recursive(tmp_dir)
 
 
 def get_source_package_name(script_name):
@@ -93,7 +93,8 @@ def main():
     if not args.package:
         args.package = get_source_package_name(script_name)
 
-    repack_xpi(args.package, args.version, args.xpi_file, args.verbose)
+    repack_xpi(script_name, args.package, args.version, args.xpi_file,
+               args.verbose)
 
 if __name__ == "__main__":
     main()