Headline
CVE-2023-2800: Use `mkstemp` to replace deprecated `mktemp` (#23372) · huggingface/transformers@80ca924
Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.
Expand Up
@@ -578,7 +578,7 @@ def download_url(url, proxies=None):
" that this is not compatible with the caching system (your file will be downloaded at each execution) or"
" multiple processes (each process will download the file in a different temporary file)."
)
tmp_file = tempfile.mktemp()
tmp_file = tempfile.mkstemp()[1]
with open(tmp_file, “wb”) as f:
http_get(url, f, proxies=proxies)
return tmp_file
Expand Down
Related news
GHSA-282v-666c-3fvg: transformers has Insecure Temporary File
Insecure Temporary File in GitHub repository huggingface/transformers 4.29.2 and prior. A fix is available at commit 80ca92470938bbcc348e2d9cf4734c7c25cb1c43 and anticipated to be part of version 4.30.0.