[Python-Dev] [Python-checkins] cpython (2.7): Fix closes issue10761: tarfile.extractall failure when symlinked files are
Antoine Pitrou
solipsis at pitrou.net
Thu Apr 28 17:32:14 CEST 2011
On Thu, 28 Apr 2011 22:44:50 +0800
Senthil Kumaran <orsenthil at gmail.com> wrote:
> On Thu, Apr 28, 2011 at 04:20:06PM +0200, Éric Araujo wrote:
> > > if hasattr(os, "symlink") and hasattr(os, "link"):
> > > # For systems that support symbolic and hard links.
> > > if tarinfo.issym():
> > > + if os.path.exists(targetpath):
> > > + os.unlink(targetpath)
> >
> > Is there a race condition here?
>
> The lock to avoid race conditions (if you were thinking along those
> lines) would usually be implemented at the higher level code which is
> using extractall in threads.
A lock would only protect only against multi-threaded use of the
tarfile module, which is probably quite rare and therefore not a real
concern.
The kind of race condition which can happen here is if an attacker
creates "targetpath" between os.path.exists and os.unlink. Whether it
is an exploitable flaw would need a detailed analysis, of course.
Regards
Antoine.
More information about the Python-Dev
mailing list