On Fri, Apr 29, 2011 at 4:26 PM, Eli Bendersky email@example.com wrote:
On Thu, Apr 28, 2011 at 04:20:06PM +0200, Éric Araujo wrote:
The kind of race condition which can happen here is if an attacker creates "targetpath" between os.path.exists and os.unlink. Whether it is an exploitable flaw would need a detailed analysis, of course.
Just out of curiosity, could you please elaborate on the potential threat of this? If the "exists" condition is true, targetpath already exists, so what use there is in overwriting it? If the condition is false, unlink isn't executed, so no harm either. What am I missing?
That's the "detailed analysis" part. What happens if other code deletes the path, and the unlink() call subsequently fails despite the successful exists() check? Hence why exception checking (as Nadeem posted) is typically the only right way to do things that access an external environment that supports multiple concurrent processes.
For this kind of case, denial-of-service (i.e. an externally induced program crash) is likely to be the limit of the damage, so the threat isn't severe. Still worth avoiding the risk, though.
Really tricky cases can lead to all sorts of fun and games, like manipulating programs that were granted elevated privileges into executing malicious code that was put in place using only user privileges (combining "sudo" and its ilk with "python" without passing -E and -s is an unfortunately-less-than-tricky way sysadmins can shoot themselves in the foot on that front).