Backport of SF patch 590294: os._execvpe security fix (Zack Weinberg).

gvanrossum · gvanrossum · commit d31a8036fe41 · 2002-08-08T19:46:52.000Z
1) Do not attempt to exec a file which does not exist
just to find out what error the operating system
returns. This is an exploitable race on all platforms
that support symbolic links.

2) Immediately re-raise the exception if we get an
error other than errno.ENOENT or errno.ENOTDIR. This
may need to be adapted for other platforms.
diff --git a/Lib/os.py b/Lib/os.py
@@ -301,16 +301,17 @@ def execvpe(file, args, env):
 
 __all__.extend(["execl","execle","execlp","execlpe","execvp","execvpe"])
 
-_notfound = None
 def _execvpe(file, args, env=None):
+    from errno import ENOENT, ENOTDIR
+
     if env is not None:
         func = execve
         argrest = (args, env)
     else:
         func = execv
         argrest = (args,)
         env = environ
-    global _notfound
+
     head, tail = path.split(file)
     if head:
         apply(func, (file,) + argrest)
@@ -320,30 +321,14 @@ def _execvpe(file, args, env=None):
     else:
         envpath = defpath
     PATH = envpath.split(pathsep)
-    if not _notfound:
-        if sys.platform[:4] == 'beos':
-            #  Process handling (fork, wait) under BeOS (up to 5.0)
-            #  doesn't interoperate reliably with the thread interlocking
-            #  that happens during an import.  The actual error we need
-            #  is the same on BeOS for posix.open() et al., ENOENT.
-            try: unlink('/_#.# ## #.#')
-            except error, _notfound: pass
-        else:
-            import tempfile
-            t = tempfile.mktemp()
-            # Exec a file that is guaranteed not to exist
-            try: execv(t, ('blah',))
-            except error, _notfound: pass
-    exc, arg = error, _notfound
     for dir in PATH:
         fullname = path.join(dir, file)
         try:
             apply(func, (fullname,) + argrest)
         except error, (errno, msg):
-            if errno != arg[0]:
-                exc, arg = error, (errno, msg)
-    raise exc, arg
-
+            if errno != ENOENT and errno != ENOTDIR:
+                raise
+    raise error, (errno, msg)
 
 # Change environ to automatically call putenv() if it exists
 try:
