64 lines
2.7 KiB
Diff
64 lines
2.7 KiB
Diff
From 255ed068bc85d1ef406e50a135e1459170dd1bf0 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <bgabor8@bloomberg.net>
|
|
Date: Fri, 9 Jan 2026 09:23:12 -0800
|
|
Subject: [PATCH] Fix TOCTOU symlink vulnerability in SoftFileLock
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Add O_NOFOLLOW flag to prevent symlink attacks. The vulnerability existed
|
|
between the permission check and the actual file creation, allowing an
|
|
attacker to create a symlink at the lock path.
|
|
|
|
How the fix prevents the attack:
|
|
1. raise_on_not_writable_file() validates permissions (doesn't follow symlinks)
|
|
2. RACE WINDOW: attacker creates symlink to target file
|
|
3. os.open() with O_NOFOLLOW refuses to follow the symlink
|
|
4. Attack is prevented - the symlink won't help attacker
|
|
|
|
Changes:
|
|
- Add conditional O_NOFOLLOW flag (like UnixFileLock does in commit 5088854)
|
|
- Gracefully degrade on platforms without O_NOFOLLOW (e.g., GraalPy)
|
|
- No behavioral changes to existing code
|
|
|
|
Security improvement:
|
|
- Platforms with O_NOFOLLOW: ✅ Symlink attacks completely prevented
|
|
- Platforms without O_NOFOLLOW: ⚠️ TOCTOU window remains but documented
|
|
|
|
The pre-check (raise_on_not_writable_file) is safe from TOCTOU itself because
|
|
it only reads metadata. The attack only works if a symlink is followed by a
|
|
write operation. By preventing symlink following in os.open() with O_NOFOLLOW,
|
|
the attack is blocked even if the symlink is created during the race window.
|
|
|
|
Reported by George Tsigourakos (@tsigouris007)
|
|
|
|
🤖 Generated with Claude Code
|
|
|
|
Co-Authored-By: Claude <noreply@anthropic.com>
|
|
---
|
|
docs/index.rst | 16 ++++++++++++++++
|
|
src/filelock/_soft.py | 4 +++-
|
|
2 files changed, 19 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py
|
|
index 28c67f74..93709c5c 100644
|
|
--- a/src/filelock/_soft.py
|
|
+++ b/src/filelock/_soft.py
|
|
@@ -16,13 +16,15 @@ class SoftFileLock(BaseFileLock):
|
|
def _acquire(self) -> None:
|
|
raise_on_not_writable_file(self.lock_file)
|
|
ensure_directory_exists(self.lock_file)
|
|
- # first check for exists and read-only mode as the open will mask this case as EEXIST
|
|
flags = (
|
|
os.O_WRONLY # open for writing only
|
|
| os.O_CREAT
|
|
| os.O_EXCL # together with above raise EEXIST if the file specified by filename exists
|
|
| os.O_TRUNC # truncate the file to zero byte
|
|
)
|
|
+ o_nofollow = getattr(os, "O_NOFOLLOW", None)
|
|
+ if o_nofollow is not None:
|
|
+ flags |= o_nofollow
|
|
try:
|
|
file_handler = os.open(self.lock_file, flags, self._context.mode)
|
|
except OSError as exception: # re-raise unless expected exception
|