[issue4489] shutil.rmtree is vulnerable to a symlink attack
Ross Lagerwall
report at bugs.python.org
Wed Jan 5 17:58:18 CET 2011
Ross Lagerwall <rosslagerwall at gmail.com> added the comment:
Updated patch removes the race condition. Since an open follows symlinks, you can't just fstat the fd to see if it is a link. I followed the following to overcome this:
https://www.securecoding.cert.org/confluence/display/seccode/POS35-C.+Avoid+race+conditions+while+checking+for+the+existence+of+a+symbolic+link
----------
Added file: http://bugs.python.org/file20277/i4489_v2.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4489>
_______________________________________
More information about the Python-bugs-list
mailing list