Message164245
I'm not a security guy, but: shouldn't the os.unlink call when it isn't a directory specify follow_symlinks=False? And wouldn't it be safer if the os.rmdir() call also used dir_fd=?
Additionally, I think you missed some stuff for shutil._use_fd_functions. Assuming I'm right on both of the above, you should also check:
* os.listdir in os.supports_dir_fd
* os.rmdir in os.supports_dir_fd
* os.stat in os.supports_dir_fd
* os.stat in os.supports_follow_symlinks
* os.unlink in os.supports_follow_symlinks
I'd spell that
_use_fd_functions = ({os.listdir, os.open, os.rmdir, os.stat, os.unlink} <
os.supports_dir_fd and
{os.stat, os.unlink} <= os.supports_follow_symlinks)
Finally, up to you, but I'd be tempted to change the "lstat" "and "fstat" calls to "stat" calls using the relevant parameters. |
|
Date |
User |
Action |
Args |
2012-06-28 11:22:29 | larry | set | recipients:
+ larry, loewis, georg.brandl, jcea, ncoghlan, pitrou, schmir, tarek, ezio.melotti, eric.araujo, Arfrever, mrts, neologix, teamnoir, rosslagerwall, python-dev, petri.lehtinen, hynek |
2012-06-28 11:22:29 | larry | set | messageid: <1340882549.88.0.883055659456.issue4489@psf.upfronthosting.co.za> |
2012-06-28 11:22:29 | larry | link | issue4489 messages |
2012-06-28 11:22:28 | larry | create | |
|