On Fri, Apr 29, 2011 at 09:52, Nick Coghlan <ncoghlan at gmail.com> wrote: > On Fri, Apr 29, 2011 at 4:26 PM, Eli Bendersky <eliben at gmail.com> wrote: >>>> On Thu, Apr 28, 2011 at 04:20:06PM +0200, Éric Araujo wrote: >>> The kind of race condition which can happen here is if an attacker >>> creates "targetpath" between os.path.exists and os.unlink. Whether it >>> is an exploitable flaw would need a detailed analysis, of course. >>> >> >> Just out of curiosity, could you please elaborate on the potential >> threat of this? If the "exists" condition is true, targetpath already >> exists, so what use there is in overwriting it? If the condition is >> false, unlink isn't executed, so no harm either. What am I missing? > > That's the "detailed analysis" part. What happens if other code > deletes the path, and the unlink() call subsequently fails despite the > successful exists() check? Hence why exception checking (as Nadeem > posted) is typically the only right way to do things that access an > external environment that supports multiple concurrent processes. > I completely understand this "other code/thread deletes the path between exists() and unlink()" case - it indeed is a race condition waiting to happen. What I didn't understand was Antoine's example of "attacker creates targetpath between os.path.exists and os.unlink", and was asking for a more detailed example, since I'm not really experienced with security-oriented thinking. Eli
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4