shutil.rmtree is vulnerable to a symlink attack

BPO	4489
Nosy	@loewis, @birkenfeld, @jcea, @ncoghlan, @pitrou, @larryhastings, @blueyed, @tarekziade, @ezio-melotti, @merwok, @akheron, @hynek
PRs	gh-48739: tests(tests_shutil): fix comment with check_args_to_onerror #22968
Dependencies	bpo-4761: create Python wrappers for openat() and others bpo-10755: Add posix.fdlistdir bpo-13734: Add a generic directory walker method to avoid symlink attacks bpo-14773: fwalk breaks on dangling symlinks
Files	shutil_patched.py issue4489_first_attempt.diff test_issue4489.sh i4489.patch: Initial patch and test i4489_v2.patch: Updated patch i4489_v3.patch: Updated patch i4489_v4.patch rmtree-with-fwalk-v1.diff rmtree-with-fwalk-docs-v1.diff rmtree-with-fwalk-v2.diff rmtree-with-fwalk-v3.diff direct_rmtree_safe.diff mvl-revisited-plus-docs.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/hynek'
closed_at = <Date 2012-06-28.10:39:44.997>
created_at = <Date 2008-12-02.15:42:01.840>
labels = ['type-security', 'library', 'release-blocker']
title = 'shutil.rmtree is vulnerable to a symlink attack'
updated_at = <Date 2020-10-25.13:33:48.102>
user = 'https://bugs.python.org/mrts'

bugs.python.org fields:

activity = <Date 2020-10-25.13:33:48.102>
actor = 'blueyed'
assignee = 'hynek'
closed = True
closed_date = <Date 2012-06-28.10:39:44.997>
closer = 'hynek'
components = ['Library (Lib)']
creation = <Date 2008-12-02.15:42:01.840>
creator = 'mrts'
dependencies = ['4761', '10755', '13734', '14773']
files = ['12482', '12484', '12485', '20274', '20277', '20279', '23261', '25630', '25631', '25649', '25660', '25935', '26089']
hgrepos = []
issue_num = 4489
keywords = ['patch', 'needs review']
message_count = 83.0
messages = ['76753', '78389', '78391', '78398', '78405', '78406', '78418', '78425', '78440', '78441', '78442', '78443', '78444', '78445', '78446', '78447', '78448', '78451', '103686', '124472', '125425', '125429', '125435', '125436', '125446', '142609', '144621', '145113', '145133', '147058', '147059', '147080', '147217', '147249', '150794', '150810', '150834', '150952', '159467', '159622', '161047', '161048', '161050', '161130', '161207', '161250', '161256', '161266', '162558', '162559', '162596', '162609', '163089', '163092', '163338', '163444', '163636', '163655', '163721', '163722', '163723', '163726', '163729', '163731', '163732', '163733', '163734', '163735', '163736', '163738', '163874', '163877', '163883', '163884', '163941', '164197', '164234', '164235', '164245', '164247', '164248', '164251', '164255']
nosy_count = 19.0
nosy_names = ['loewis', 'georg.brandl', 'jcea', 'ncoghlan', 'pitrou', 'larry', 'blueyed', 'schmir', 'tarek', 'ezio.melotti', 'eric.araujo', 'Arfrever', 'mrts', 'neologix', 'teamnoir', 'rosslagerwall', 'python-dev', 'petri.lehtinen', 'hynek']
pr_nums = ['22968']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue4489'
versions = ['Python 3.3']

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

shutil.rmtree is vulnerable to a symlink attack #48739

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Search code, repositories, users, issues, pull requests...

Uh oh!

shutil.rmtree is vulnerable to a symlink attack #48739

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions