Antoine Pitrou <pit...@free.fr> added the comment: Without even mentioning the possibility attacks, I think it's wrong for the cleanup routine to follow symbolic links. It should instead simply remove the links, and not mess with anything outside of the temporary directory.
Note that shutil.rmtree() does the right thing by calling lstat(). TemporaryDirectory interestingly uses a "stripped down version of rmtree" which doesn't retain that subtlety. ---------- nosy: +pitrou _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12464> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
