Charles-François Natali wrote:
> > I agree with Antoine - it's a simple bug
> 
> Alright, in that case I agree (I thought this was considered as a
> security issue).

Yes. The problem is that cleanup() does not delete the temporary
directory but deletes files in the linked directory, even if it's
outside the temporary directory.

> Two comments on the patch:
> 
> Lib/tempfile.py:
>  # Don't recurse to symlinked directories (issue #12464)
> 
> Is it really necessary to indicate the issue reference here (there's
> already version control, no need to tag the code itself)? It does make
> sense in the test, though.

True.

> Lib/test/test_tempfile.py:
> def test_cleanup_with_symlink_to_a_directory(self):
>     # cleanup() should not follow symlinks to directories (issue #12464)
>     [...]
>     # Symlink d1/foo -> d2
>     os.symlink(d2.name, os.path.join(d1.name, "foo"))
> 
> Does Windows have symlinks?
> Looking at Modules/posixmodule.c, I'm not sure, and there seems to be
> a version of os.symlink() that takes an argument indicating whether
> the target is a directory or not.

According to the documentation of os.symlink(), symlinks are available
on Windows 6.0 (Vista) and later, so the test should check for this.
I'm not sure how this can be done, though, as there's no
requires_windows_version() decorator in test.support.

The documentation also says that the extra parameter of os.symlink()
only has an effect it the symlink target does not exist when the link
is created. In the test it does, so I think os.link() and os.symlink()
should both work correctly, also on Windows.

If someone suggests how to test for the Windows version, I'll update
the patch, also to remove the issue reference from the code.