Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #99885
| Path | csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail |
|---|---|
| From | Chris Angelico <rosuav@gmail.com> |
| Newsgroups | comp.lang.python |
| Subject | Re: how to make the below code look better |
| Date | Thu, 3 Dec 2015 00:49:10 +1100 |
| Lines | 30 |
| Message-ID | <mailman.129.1449064154.14615.python-list@python.org> (permalink) |
| References | <mailman.120.1449058284.14615.python-list@python.org> <565ef1eb$0$1604$c3e8da3$5496439d@news.astraweb.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8 |
| X-Trace | news.uni-berlin.de dD1JdUreaxjNohrUGmoruQL9Eepy6ssrtr8isExII7hQ== |
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.101 |
| X-Spam-Level | * |
| X-Spam-Evidence | '*H*': 0.80; '*S*': 0.00; 'subject:code': 0.07; 'cc:addr:python-list': 0.09; 'scripts,': 0.09; 'thu,': 0.15; '(before': 0.16; 'bug:': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'subject:make': 0.16; 'worst': 0.16; 'wrote:': 0.16; 'later': 0.16; '2015': 0.20; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'am,': 0.23; 'dec': 0.23; 'errors': 0.23; 'header:In-Reply-To:1': 0.24; 'message-id:@mail.gmail.com': 0.27; 'url:wikipedia': 0.29; 'url:wiki': 0.30; 'code': 0.30; 'probably': 0.31; 'another': 0.32; 'possibly': 0.32; 'run': 0.33; "d'aprano": 0.33; 'steven': 0.33; 'case,': 0.34; 'received:google.com': 0.35; 'but': 0.36; 'should': 0.36; 'url:org': 0.36; 'received:209.85': 0.36; 'subject:: ': 0.37; 'being': 0.37; 'received:209.85.213': 0.37; 'difference': 0.38; "won't": 0.38; 'received:209': 0.38; 'skip:o 20': 0.38; 'url:en': 0.39; 'subject:the': 0.39; 'enough': 0.39; 'called': 0.40; 'software': 0.40; 'your': 0.60; 'matter': 0.63; 'trusted': 0.64; 'url:index': 0.67; 'race': 0.72; 'chrisa': 0.84; 'conditions,': 0.84; 'strategy.': 0.84; 'subject:below': 0.84; 'vulnerable': 0.84; 'worried': 0.84; 'url:php': 0.86; 'to:none': 0.91; 'use"': 0.91; 'dirty': 0.93; 'serious': 0.97 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=I1DsbPa+4ccJr3ZKYxF0F9HmUUcvPnZeeLfhksTRHjI=; b=fH9tV8x3MgC60L11X0264Pyk1Dc29mQImukadkb/CHpEJDkDDbrohxyPAnR9OnuNVs 2lcVrWqy/DYqTYjwBQ3px4U8LCYvR5zNA/mmI+/KW6lo7651ARkC79zp45r98YDJZVzO TgjS90axGk9KVkzjgEVlMVugxgrN87vQZ2yCIG3hCfoSKl+88Ri1na4bylZQtQ5Ug1Is XEQzHus6qWdGkj4imBosfWRTMZThnfsNiIaoZ/VCMv+Dv9OdCsuzFLKmN0Gn4VXJv7Yr xuZCS06lDpE4V+86GoCxQ+UlK7jnXa52Vh4UMkcE8e8xzV35MVHpv9D1F62nT+2iMsb6 JUNw== |
| X-Received | by 10.50.30.6 with SMTP id o6mr34330202igh.94.1449064150891; Wed, 02 Dec 2015 05:49:10 -0800 (PST) |
| In-Reply-To | <565ef1eb$0$1604$c3e8da3$5496439d@news.astraweb.com> |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.20+ |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Xref | csiph.com comp.lang.python:99885 |
Show key headers only | View raw
On Thu, Dec 3, 2015 at 12:28 AM, Steven D'Aprano <steve@pearwood.info> wrote:
>> if not os.path.ismount("/tmp"):
>> sys.exit("/tmp not mounted.")
>
> This is good enough for quick and dirty scripts, but this is vulnerable to a
> race condition. It may be that /tmp is mounted *now*, but a millisecond
> later (before you can use it) another process unmounts it.
>
> This is called a "time of check to time of use" bug:
>
> https://cwe.mitre.org/data/definitions/367.html
>
> https://www.owasp.org/index.php/Time_of_check,_time_of_use_race_condition
>
> https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
>
> and can be a serious software vulnerability.
>
> If this code is only being used under trusted conditions, then it is
> probably okay, otherwise you should reconsider your strategy.
>
> (Besides, how often do you unmount /tmp?)
>
Possibly it's not worried about *un*mounting of /tmp, but about being
run prior to /tmp being mounted for the first time. If that's the
case, the check/use difference won't matter - worst case, the program
errors out even though the mount was almost completed.
ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
how to make the below code look better Ganesh Pal <ganesh1pal@gmail.com> - 2015-12-02 17:41 +0530
Re: how to make the below code look better BartC <bc@freeuk.com> - 2015-12-02 12:20 +0000
Re: how to make the below code look better Chris Angelico <rosuav@gmail.com> - 2015-12-02 23:31 +1100
Re: how to make the below code look better Steven D'Aprano <steve@pearwood.info> - 2015-12-03 00:28 +1100
Re: how to make the below code look better Chris Angelico <rosuav@gmail.com> - 2015-12-03 00:49 +1100
Re: how to make the below code look better me <self@example.org> - 2015-12-02 15:23 +0000
csiph-web