Issue #4489: Rename the feature marker for the symlink resistant rmtree and store it as a function attribute

2025-12-04 08:34:25 +00:00 · 2012-06-24 16:43:06 +10:00 · 2012-06-24 16:43:06 +10:00 · 5b0eca116a
commit 5b0eca116a
parent 8e5c0a774f
4 changed files with 28 additions and 18 deletions
--- a/Doc/library/shutil.rst
+++ b/Doc/library/shutil.rst
@ -190,14 +190,15 @@ Directory and files operations
   handled by calling a handler specified by *onerror* or, if that is omitted,
   they raise an exception.

-   .. warning::
+   .. note::

-      The default :func:`rmtree` function is susceptible to a symlink attack:
-      given proper timing and circumstances, attackers can use it to delete
-      files they wouldn't be able to access otherwise.  Thus -- on platforms
-      that support the necessary fd-based functions -- a safe version of
-      :func:`rmtree` is used, which isn't vulnerable. In this case
-      :data:`rmtree_is_safe` is set to True.
+      On platforms that support the necessary fd-based functions a symlink
+      attack resistant version of :func:`rmtree` is used by default. On other
+      platforms, the :func:`rmtree` implementation is susceptible to a
+      symlink attack: given proper timing and circumstances, attackers can
+      manipulate symlinks on the filesystem to delete files they wouldn't
+      be able to access otherwise. Applications can use the :data:`rmtree.avoids_symlink_attacks` function attribute to
+      determine which case applies.

   If *onerror* is provided, it must be a callable that accepts three
   parameters: *function*, *path*, and *excinfo*.
@ -209,16 +210,16 @@ Directory and files operations
   :func:`sys.exc_info`.  Exceptions raised by *onerror* will not be caught.

   .. versionchanged:: 3.3
-      Added a safe version that is used automatically if platform supports
-      fd-based functions.
+      Added a symlink attack resistant version that is used automatically
+      if platform supports fd-based functions.

-.. data:: rmtree_is_safe
+   .. data:: rmtree.avoids_symlink_attacks

-   Indicates whether the current platform and implementation has a symlink
-   attack-proof version of :func:`rmtree`. Currently this is only true for
-   platforms supporting fd-based directory access functions.
+      Indicates whether the current platform and implementation provides a
+      symlink attack resistant version of :func:`rmtree`. Currently this is
+      only true for platforms supporting fd-based directory access functions.

-   .. versionadded:: 3.3
+      .. versionadded:: 3.3

 .. function:: move(src, dst)

--- a/Doc/whatsnew/3.3.rst
+++ b/Doc/whatsnew/3.3.rst
@ -1296,6 +1296,11 @@ shutil
  acts on the symlink itself (or creates one, if relevant).
  (Contributed by Hynek Schlawack in :issue:`12715`.)

+* :func:`~shutil.rmtree` is now resistant to symlink attacks on platforms
+  which support the new ``dir_fd`` parameter in :func:`os.open` and
+  :func:`os.unlinkat`. (Contributed by Martin von Löwis and Hynek Schlawack
+  in :issue:`4489`.)
+


 signal