17
0
Files
python-filelock/CVE-2026-22701.patch

64 lines
2.7 KiB
Diff

From 255ed068bc85d1ef406e50a135e1459170dd1bf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <bgabor8@bloomberg.net>
Date: Fri, 9 Jan 2026 09:23:12 -0800
Subject: [PATCH] Fix TOCTOU symlink vulnerability in SoftFileLock
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add O_NOFOLLOW flag to prevent symlink attacks. The vulnerability existed
between the permission check and the actual file creation, allowing an
attacker to create a symlink at the lock path.
How the fix prevents the attack:
1. raise_on_not_writable_file() validates permissions (doesn't follow symlinks)
2. RACE WINDOW: attacker creates symlink to target file
3. os.open() with O_NOFOLLOW refuses to follow the symlink
4. Attack is prevented - the symlink won't help attacker
Changes:
- Add conditional O_NOFOLLOW flag (like UnixFileLock does in commit 5088854)
- Gracefully degrade on platforms without O_NOFOLLOW (e.g., GraalPy)
- No behavioral changes to existing code
Security improvement:
- Platforms with O_NOFOLLOW: ✅ Symlink attacks completely prevented
- Platforms without O_NOFOLLOW: ⚠️ TOCTOU window remains but documented
The pre-check (raise_on_not_writable_file) is safe from TOCTOU itself because
it only reads metadata. The attack only works if a symlink is followed by a
write operation. By preventing symlink following in os.open() with O_NOFOLLOW,
the attack is blocked even if the symlink is created during the race window.
Reported by George Tsigourakos (@tsigouris007)
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
---
docs/index.rst | 16 ++++++++++++++++
src/filelock/_soft.py | 4 +++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py
index 28c67f74..93709c5c 100644
--- a/src/filelock/_soft.py
+++ b/src/filelock/_soft.py
@@ -16,13 +16,15 @@ class SoftFileLock(BaseFileLock):
def _acquire(self) -> None:
raise_on_not_writable_file(self.lock_file)
ensure_directory_exists(self.lock_file)
- # first check for exists and read-only mode as the open will mask this case as EEXIST
flags = (
os.O_WRONLY # open for writing only
| os.O_CREAT
| os.O_EXCL # together with above raise EEXIST if the file specified by filename exists
| os.O_TRUNC # truncate the file to zero byte
)
+ o_nofollow = getattr(os, "O_NOFOLLOW", None)
+ if o_nofollow is not None:
+ flags |= o_nofollow
try:
file_handler = os.open(self.lock_file, flags, self._context.mode)
except OSError as exception: # re-raise unless expected exception