Message 141129 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	abacabadabacaba, georg.brandl, ncoghlan, neologix, petri.lehtinen, pitrou
Date	2011-07-25.23:17:40
SpamBayes Score	1.2690397e-07
Marked as misclassified	No
Message-id	<1311635860.86.0.653325461046.issue12464@psf.upfronthosting.co.za>
In-reply-to

Content
Without even mentioning the possibility attacks, I think it's wrong for the cleanup routine to follow symbolic links. It should instead simply remove the links, and not mess with anything outside of the temporary directory. Note that shutil.rmtree() does the right thing by calling lstat(). TemporaryDirectory interestingly uses a "stripped down version of rmtree" which doesn't retain that subtlety.

Without even mentioning the possibility attacks, I think it's wrong for the cleanup routine to follow symbolic links. It should instead simply remove the links, and not mess with anything outside of the temporary directory.

Note that shutil.rmtree() does the right thing by calling lstat(). TemporaryDirectory interestingly uses a "stripped down version of rmtree" which doesn't retain that subtlety.

History
Date	User	Action	Args
2011-07-25 23:17:40	pitrou	set	recipients: + pitrou, georg.brandl, ncoghlan, neologix, abacabadabacaba, petri.lehtinen
2011-07-25 23:17:40	pitrou	set	messageid: <1311635860.86.0.653325461046.issue12464@psf.upfronthosting.co.za>
2011-07-25 23:17:40	pitrou	link	issue12464 messages
2011-07-25 23:17:40	pitrou	create