From a8fff9e4546960594bf78659377e36bcfb82e754 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sun, 3 Aug 2025 13:56:35 +0800 Subject: [PATCH 1/7] Deprecate mktemp() to use a safer function. --- Lib/asyncio/windows_utils.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Lib/asyncio/windows_utils.py b/Lib/asyncio/windows_utils.py index ef277fac3e291c..9789ec78700056 100644 --- a/Lib/asyncio/windows_utils.py +++ b/Lib/asyncio/windows_utils.py @@ -31,9 +31,8 @@ def pipe(*, duplex=False, overlapped=(True, True), bufsize=BUFSIZE): """Like os.pipe() but with overlapped support and using handles not fds.""" - address = tempfile.mktemp( - prefix=r'\\.\pipe\python-pipe-{:d}-{:d}-'.format( - os.getpid(), next(_mmap_counter))) + address = r'\\.\pipe\python-pipe-{:d}-{:s}'.format(os.getpid(), + str(uuid.uuid4())) if duplex: openmode = _winapi.PIPE_ACCESS_DUPLEX From cf5da77e582f926f805206e0e98204bdf09adce6 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sun, 3 Aug 2025 14:17:01 +0800 Subject: [PATCH 2/7] fix windows_utils.py --- Lib/asyncio/windows_utils.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Lib/asyncio/windows_utils.py b/Lib/asyncio/windows_utils.py index 9789ec78700056..b3cda13414c5d3 100644 --- a/Lib/asyncio/windows_utils.py +++ b/Lib/asyncio/windows_utils.py @@ -12,6 +12,7 @@ import subprocess import tempfile import warnings +import uuid __all__ = 'pipe', 'Popen', 'PIPE', 'PipeHandle' From 345f5e77a087cbb0df50e5f91988896b64011a7f Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sun, 3 Aug 2025 14:19:56 +0800 Subject: [PATCH 3/7] fix windows_utils.py --- Lib/asyncio/windows_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/asyncio/windows_utils.py b/Lib/asyncio/windows_utils.py index b3cda13414c5d3..dccc55241aaca3 100644 --- a/Lib/asyncio/windows_utils.py +++ b/Lib/asyncio/windows_utils.py @@ -32,7 +32,7 @@ def pipe(*, duplex=False, overlapped=(True, True), bufsize=BUFSIZE): """Like os.pipe() but with overlapped support and using handles not fds.""" - address = r'\\.\pipe\python-pipe-{:d}-{:s}'.format(os.getpid(), + address = r'\\.\pipe\python-pipe-{:d}-{:s}'.format(os.getpid(), str(uuid.uuid4())) if duplex: From 33caf807af8a2289b24fedc4d69306e502bb6f8c Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sun, 3 Aug 2025 17:57:16 +0800 Subject: [PATCH 4/7] change at tempfile.mkstemp() instead of tempfile.mktemp() --- Lib/asyncio/windows_utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/asyncio/windows_utils.py b/Lib/asyncio/windows_utils.py index dccc55241aaca3..51366904be1e2f 100644 --- a/Lib/asyncio/windows_utils.py +++ b/Lib/asyncio/windows_utils.py @@ -32,8 +32,8 @@ def pipe(*, duplex=False, overlapped=(True, True), bufsize=BUFSIZE): """Like os.pipe() but with overlapped support and using handles not fds.""" - address = r'\\.\pipe\python-pipe-{:d}-{:s}'.format(os.getpid(), - str(uuid.uuid4())) + address = tempfile.mkstemp(r'\\.\pipe\python-pipe-{:d}-{:s}'.format(os.getpid(), + str(uuid.uuid4()))) if duplex: openmode = _winapi.PIPE_ACCESS_DUPLEX From daec027561f8c5b3869671b72f223bfba232e430 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Sun, 3 Aug 2025 18:42:19 +0800 Subject: [PATCH 5/7] fix windows_utils.py --- Lib/asyncio/windows_utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/asyncio/windows_utils.py b/Lib/asyncio/windows_utils.py index 51366904be1e2f..856964f9200115 100644 --- a/Lib/asyncio/windows_utils.py +++ b/Lib/asyncio/windows_utils.py @@ -32,8 +32,8 @@ def pipe(*, duplex=False, overlapped=(True, True), bufsize=BUFSIZE): """Like os.pipe() but with overlapped support and using handles not fds.""" - address = tempfile.mkstemp(r'\\.\pipe\python-pipe-{:d}-{:s}'.format(os.getpid(), - str(uuid.uuid4()))) + pipename = f'python-pipe-{os.getpid()}-{uuid.uuid4()}' + address = fr'\\.\pipe\{pipename}' if duplex: openmode = _winapi.PIPE_ACCESS_DUPLEX From 7b2811a713a523b5e34e3453d6a80614a581e567 Mon Sep 17 00:00:00 2001 From: lighting9999 Date: Mon, 4 Aug 2025 08:13:29 +0800 Subject: [PATCH 6/7] Update windows_utils.py --- Lib/asyncio/windows_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/asyncio/windows_utils.py b/Lib/asyncio/windows_utils.py index 856964f9200115..e5fbcc475da039 100644 --- a/Lib/asyncio/windows_utils.py +++ b/Lib/asyncio/windows_utils.py @@ -32,7 +32,7 @@ def pipe(*, duplex=False, overlapped=(True, True), bufsize=BUFSIZE): """Like os.pipe() but with overlapped support and using handles not fds.""" - pipename = f'python-pipe-{os.getpid()}-{uuid.uuid4()}' + pipename = f'python-pipe-{os.getpid()}-{uuid.uuid4().hex}' address = fr'\\.\pipe\{pipename}' if duplex: From 31bdba4910cd712165f0a47bda053d0ab3c489f7 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Mon, 4 Aug 2025 00:25:49 +0000 Subject: [PATCH 7/7] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2025-08-04-00-25-48.gh-issue-137335.yRgZib.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2025-08-04-00-25-48.gh-issue-137335.yRgZib.rst diff --git a/Misc/NEWS.d/next/Library/2025-08-04-00-25-48.gh-issue-137335.yRgZib.rst b/Misc/NEWS.d/next/Library/2025-08-04-00-25-48.gh-issue-137335.yRgZib.rst new file mode 100644 index 00000000000000..96be760983ae3b --- /dev/null +++ b/Misc/NEWS.d/next/Library/2025-08-04-00-25-48.gh-issue-137335.yRgZib.rst @@ -0,0 +1,13 @@ +matemp() function is unsafe,so I use safety function. +bandit tool: +``` +Issue: [B306:blacklist] Use of insecure and deprecated function (mktemp). +Severity: Medium Confidence: High +CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html) +More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_calls.html#b306-mktemp-q +Location: C:\Users\Administrator\Desktop\cpython\lib\asyncio\windows_utils.py:34:14 +33 """Like os.pipe() but with overlapped support and using handles not fds.""" +34 address = tempfile.mktemp( +35 prefix=r'\.\pipe\python-pipe-{:d}-{:d}-'.format( +36 os.getpid(), next(_mmap_counter))) +```