[issue4489] shutil.rmtree is vulnerable to a symlink attack
Larry Hastings
report at bugs.python.org
Thu Jun 28 14:01:43 CEST 2012
Larry Hastings <larry at hastings.org> added the comment:
I'm pretty busy right now, please open a ticket for listdir.
_rmtree_safe_fd could remove the directory just after the recursive step using the parent's dirfd. Of course you'd also have to add a rmdir for the very-tippy-top after the original call in shutil.rmtree too. But this would prevent the malicious user from even removing empty directories.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4489>
_______________________________________
More information about the Python-bugs-list
mailing list