This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients abacabadabacaba, georg.brandl, ncoghlan, neologix, petri.lehtinen, pitrou
Date 2011-07-25.23:17:40
SpamBayes Score 1.2690397e-07
Marked as misclassified No
Message-id <1311635860.86.0.653325461046.issue12464@psf.upfronthosting.co.za>
In-reply-to
Content
Without even mentioning the possibility attacks, I think it's wrong for the cleanup routine to follow symbolic links. It should instead simply remove the links, and not mess with anything outside of the temporary directory.

Note that shutil.rmtree() does the right thing by calling lstat(). TemporaryDirectory interestingly uses a "stripped down version of rmtree" which doesn't retain that subtlety.
History
Date User Action Args
2011-07-25 23:17:40pitrousetrecipients: + pitrou, georg.brandl, ncoghlan, neologix, abacabadabacaba, petri.lehtinen
2011-07-25 23:17:40pitrousetmessageid: <1311635860.86.0.653325461046.issue12464@psf.upfronthosting.co.za>
2011-07-25 23:17:40pitroulinkissue12464 messages
2011-07-25 23:17:40pitroucreate