Security implications of using open() on untrusted strings.
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Tue Nov 25 02:40:57 EST 2008
Jorgen Grahn wrote:
> Seems to me you simply want to know beforehand that the reading will
> work. But you can never check that! You can stat(2) the file, or
> open-and-close it -- and then a microsecond later, someone deletes the
> file, or replaces it with another one, or write-protects it, or mounts
> a file system on top of its directory, or drops a nuke over the city,
> or ...
Depends on what exactly you're trying to guard against. Your comments would apply, for example, to a set-uid program being run by a potentially hostile local user (except that Linux doesn't allow set-uid scripts).
But if the script is being run, for example, via a Web interface, where processes on the local system can be trusted but the remote user cannot, then it is perfectly legitimate to use calls like stat(2) to enforce your own permission checks before allowing an operation.
More information about the Python-list
mailing list