[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-29 Thread Charles-François Natali
Charles-François Natali added the comment: Committed. Petri, thanks for the patch. -- resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed ___ Python tracker _

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-29 Thread Roundup Robot
Roundup Robot added the comment: New changeset 5f7e71cfbcd6 by Charles-François Natali in branch '3.2': Issue #12464: tempfile.TemporaryDirectory.cleanup() should not follow symlinks: http://hg.python.org/cpython/rev/5f7e71cfbcd6 New changeset c0bae008df81 by Charles-François Natali in branch '

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-27 Thread Charles-François Natali
Charles-François Natali added the comment: The patch looks good to me. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Un

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-27 Thread Petri Lehtinen
Petri Lehtinen added the comment: Attached an updated patch: - the test now uses support.skip_unless_symlink decorator - added an explicit assertion ensuring that the contents of the linked directory aren't deleted - removed issue reference from the code -- Added file: http://bugs.p

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-26 Thread Antoine Pitrou
Antoine Pitrou added the comment: You can simply use support.skip_unless_symlink(). > Charles-François Natali added the comment: > > > If someone suggests how to test for the Windows version, I'll update > > the patch, also to remove the issue reference from the code. > > Well, I don't know

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-26 Thread Charles-François Natali
Charles-François Natali added the comment: > If someone suggests how to test for the Windows version, I'll update > the patch, also to remove the issue reference from the code. Well, I don't know Windows, but there's platform.win32_ver() (http://docs.python.org/library/platform.html#platform.wi

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-26 Thread Petri Lehtinen
Petri Lehtinen added the comment: Charles-François Natali wrote: > > I agree with Antoine - it's a simple bug > > Alright, in that case I agree (I thought this was considered as a > security issue). Yes. The problem is that cleanup() does not delete the temporary directory but deletes files in

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-26 Thread Charles-François Natali
Charles-François Natali added the comment: > I agree with Antoine - it's a simple bug Alright, in that case I agree (I thought this was considered as a security issue). Two comments on the patch: Lib/tempfile.py: # Don't recurse to symlinked directories (issue #12464) Is it really necessary

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-25 Thread Nick Coghlan
Nick Coghlan added the comment: I agree with Antoine - it's a simple bug introduced by the attempt to allow temporary directories to be correctly cleaned up during interpreter shutdown. The race condition due to the usage of LBYL is shared with the full shutil.rmtree implementation, so the pa

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-25 Thread Antoine Pitrou
Antoine Pitrou added the comment: Without even mentioning the possibility attacks, I think it's wrong for the cleanup routine to follow symbolic links. It should instead simply remove the links, and not mess with anything outside of the temporary directory. Note that shutil.rmtree() does the

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-25 Thread Charles-François Natali
Charles-François Natali added the comment: I'm not sure I see what the problem is: - if the idea behind this is the risk of symlink attack (like issue #4489), it's not the case here, because the directory is created with 0600 permission - furthermore, the attached patch has a TOCTTOU race, betw

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-25 Thread Petri Lehtinen
Petri Lehtinen added the comment: Adding potential reviewers to nosy list. -- nosy: +georg.brandl, ncoghlan ___ Python tracker ___ __

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-25 Thread Petri Lehtinen
Petri Lehtinen added the comment: Attached a patch that fixes the issue and adds a test case for it. -- keywords: +needs review, patch stage: -> patch review Added file: http://bugs.python.org/file22754/issue12464.patch ___ Python tracker

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-03 Thread Petri Lehtinen
Changes by Petri Lehtinen : -- nosy: +petri.lehtinen ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mai

[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links

2011-07-01 Thread Evgeny Kapun
New submission from Evgeny Kapun : TemporaryDirectory.cleanup follows symbolic links to directories and tries to clean them as well. Try this (on Linux): import os, tempfile with tempfile.TemporaryDirectory() as d: os.symlink("/proc", d + "/test") -- components: Library (Lib) m