Skip to content

shutil.rmtree is vulnerable to a symlink attack #48739

New issue
New issue
Closed
Closed
shutil.rmtree is vulnerable to a symlink attack#48739
Assignees
hynek
Labels
release-blockerstdlibPython modules in the Lib dirtype-securityA security issue
@mrts

Description

@mrts
mrts
mannequin
opened on Dec 2, 2008
BPO 4489
Nosy @loewis, @birkenfeld, @jcea, @ncoghlan, @pitrou, @larryhastings, @blueyed, @tarekziade, @ezio-melotti, @merwok, @akheron, @hynek
PRs
  • gh-48739: tests(tests_shutil): fix comment with check_args_to_onerror #22968
    		•
    Dependencies
  • bpo-4761: create Python wrappers for openat() and others
  • bpo-10755: Add posix.fdlistdir
  • bpo-13734: Add a generic directory walker method to avoid symlink attacks
  • bpo-14773: fwalk breaks on dangling symlinks
    		•
    Files
  • shutil_patched.py
  • issue4489_first_attempt.diff
  • test_issue4489.sh
  • i4489.patch: Initial patch and test
  • i4489_v2.patch: Updated patch
  • i4489_v3.patch: Updated patch
  • i4489_v4.patch
  • rmtree-with-fwalk-v1.diff
  • rmtree-with-fwalk-docs-v1.diff
  • rmtree-with-fwalk-v2.diff
  • rmtree-with-fwalk-v3.diff
  • direct_rmtree_safe.diff
  • mvl-revisited-plus-docs.diff
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/hynek'
closed_at = <Date 2012-06-28.10:39:44.997>
created_at = <Date 2008-12-02.15:42:01.840>
labels = ['type-security', 'library', 'release-blocker']
title = 'shutil.rmtree is vulnerable to a symlink attack'
updated_at = <Date 2020-10-25.13:33:48.102>
user = 'https://bugs.python.org/mrts'

    bugs.python.org fields:

    activity = <Date 2020-10-25.13:33:48.102>
actor = 'blueyed'
assignee = 'hynek'
closed = True
closed_date = <Date 2012-06-28.10:39:44.997>
closer = 'hynek'
components = ['Library (Lib)']
creation = <Date 2008-12-02.15:42:01.840>
creator = 'mrts'
dependencies = ['4761', '10755', '13734', '14773']
files = ['12482', '12484', '12485', '20274', '20277', '20279', '23261', '25630', '25631', '25649', '25660', '25935', '26089']
hgrepos = []
issue_num = 4489
keywords = ['patch', 'needs review']
message_count = 83.0
messages = ['76753', '78389', '78391', '78398', '78405', '78406', '78418', '78425', '78440', '78441', '78442', '78443', '78444', '78445', '78446', '78447', '78448', '78451', '103686', '124472', '125425', '125429', '125435', '125436', '125446', '142609', '144621', '145113', '145133', '147058', '147059', '147080', '147217', '147249', '150794', '150810', '150834', '150952', '159467', '159622', '161047', '161048', '161050', '161130', '161207', '161250', '161256', '161266', '162558', '162559', '162596', '162609', '163089', '163092', '163338', '163444', '163636', '163655', '163721', '163722', '163723', '163726', '163729', '163731', '163732', '163733', '163734', '163735', '163736', '163738', '163874', '163877', '163883', '163884', '163941', '164197', '164234', '164235', '164245', '164247', '164248', '164251', '164255']
nosy_count = 19.0
nosy_names = ['loewis', 'georg.brandl', 'jcea', 'ncoghlan', 'pitrou', 'larry', 'blueyed', 'schmir', 'tarek', 'ezio.melotti', 'eric.araujo', 'Arfrever', 'mrts', 'neologix', 'teamnoir', 'rosslagerwall', 'python-dev', 'petri.lehtinen', 'hynek']
pr_nums = ['22968']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue4489'
versions = ['Python 3.3']

    Metadata

    Metadata

    Assignees

    Labels

    release-blockerstdlibPython modules in the Lib dirtype-securityA security issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions