On Thu, 28 Apr 2011 22:44:50 +0800 Senthil Kumaran <orsent...@gmail.com> wrote: > On Thu, Apr 28, 2011 at 04:20:06PM +0200, Éric Araujo wrote: > > > if hasattr(os, "symlink") and hasattr(os, "link"): > > > # For systems that support symbolic and hard links. > > > if tarinfo.issym(): > > > + if os.path.exists(targetpath): > > > + os.unlink(targetpath) > > > > Is there a race condition here? > > The lock to avoid race conditions (if you were thinking along those > lines) would usually be implemented at the higher level code which is > using extractall in threads.
A lock would only protect only against multi-threaded use of the tarfile module, which is probably quite rare and therefore not a real concern. The kind of race condition which can happen here is if an attacker creates "targetpath" between os.path.exists and os.unlink. Whether it is an exploitable flaw would need a detailed analysis, of course. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
