On Thu, Dec 3, 2015 at 12:28 AM, Steven D'Aprano <st...@pearwood.info> wrote:
>> if not os.path.ismount("/tmp"):
>> sys.exit("/tmp not mounted.")
>
> This is good enough for quick and dirty scripts, but this is vulnerable to a
> race condition. It may be that /tmp is mounted *now*, but a millisecond
> later (before you can use it) another process unmounts it.
>
> This is called a "time of check to time of use" bug:
>
> https://cwe.mitre.org/data/definitions/367.html
>
> https://www.owasp.org/index.php/Time_of_check,_time_of_use_race_condition
>
> https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
>
> and can be a serious software vulnerability.
>
> If this code is only being used under trusted conditions, then it is
> probably okay, otherwise you should reconsider your strategy.
>
> (Besides, how often do you unmount /tmp?)
>
Possibly it's not worried about *un*mounting of /tmp, but about being
run prior to /tmp being mounted for the first time. If that's the
case, the check/use difference won't matter - worst case, the program
errors out even though the mount was almost completed.
ChrisA
--
https://mail.python.org/mailman/listinfo/python-list
