Christian Heimes <[email protected]> added the comment:
I just noticed that you are using hard-coded paths with /tmp for the pystats
directory. That's problematic and opens the possibility of a symlink race
attack.
Could please add exclusive create to _Py_PrintSpecializationStats()? The will
prevent symlink attacks. fopen() mode "x" is not generally available in all
libcs. You have to combine open() and fdopen():
int flags = O_WRONLY | O_CREAT | O_EXCL;
#ifdef O_NOFOLLOW
flags |= O_NOFOLLOW;
#endif
#ifdef O_CLOEXEC
flags |= O_CLOEXEC;
#endif
int fd = open(path, flags);
if (fd >= 0) {
FILE *fout = fdopen(fd, "w");
}
----------
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue46072>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
