[issue12464] tempfile.TemporaryDirectory.cleanup follows symbolic links
Antoine Pitrou
report at bugs.python.org
Tue Jul 26 01:17:40 CEST 2011
Antoine Pitrou <pitrou at free.fr> added the comment:
Without even mentioning the possibility attacks, I think it's wrong for the cleanup routine to follow symbolic links. It should instead simply remove the links, and not mess with anything outside of the temporary directory.
Note that shutil.rmtree() does the right thing by calling lstat(). TemporaryDirectory interestingly uses a "stripped down version of rmtree" which doesn't retain that subtlety.
----------
nosy: +pitrou
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12464>
_______________________________________
More information about the Python-bugs-list
mailing list