[Python-Dev] [Python-checkins] cpython (2.7): Fix closes issue10761: tarfile.extractall failure when symlinked files are
Nick Coghlan
ncoghlan at gmail.com
Fri Apr 29 08:52:01 CEST 2011
On Fri, Apr 29, 2011 at 4:26 PM, Eli Bendersky <eliben at gmail.com> wrote:
>>> On Thu, Apr 28, 2011 at 04:20:06PM +0200, Éric Araujo wrote:
>> The kind of race condition which can happen here is if an attacker
>> creates "targetpath" between os.path.exists and os.unlink. Whether it
>> is an exploitable flaw would need a detailed analysis, of course.
>>
>
> Just out of curiosity, could you please elaborate on the potential
> threat of this? If the "exists" condition is true, targetpath already
> exists, so what use there is in overwriting it? If the condition is
> false, unlink isn't executed, so no harm either. What am I missing?
That's the "detailed analysis" part. What happens if other code
deletes the path, and the unlink() call subsequently fails despite the
successful exists() check? Hence why exception checking (as Nadeem
posted) is typically the only right way to do things that access an
external environment that supports multiple concurrent processes.
For this kind of case, denial-of-service (i.e. an externally induced
program crash) is likely to be the limit of the damage, so the threat
isn't severe. Still worth avoiding the risk, though.
Really tricky cases can lead to all sorts of fun and games, like
manipulating programs that were granted elevated privileges into
executing malicious code that was put in place using only user
privileges (combining "sudo" and its ilk with "python" without passing
-E and -s is an unfortunately-less-than-tricky way sysadmins can shoot
themselves in the foot on that front).
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list