Bug 173891

Summary: os.path.realpath can't handle symlink loops
Product: Red Hat Enterprise Linux 4 Reporter: Bastien Nocera <bnocera>
Component: pythonAssignee: Jeremy Katz <katzj>
Status: CLOSED ERRATA QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: katzj, swarren, twegener
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0247 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 17:18:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
python-no-symlink-loop-rhel4.patch none

Description Bastien Nocera 2005-11-22 09:14:48 UTC 
+++ This bug was initially created as a clone of Bug #173595 +++

Description of problem:
The problem is described in
https://sourceforge.net/tracker/index.php?func=detail&aid=930024&group_id=5470&atid=105470

Version-Release number of selected component (if applicable):
python-2.2.3-6.1 (RHEL3)
python-2.3.4-14.1 (RHEL4)

How reproducible:
Every time

Steps to Reproduce:
See upstreams report

Additional info:
The problem is fixed in newer releases upstreams.  The reason for this bug
report is that we need this fix in the python in RHEL3 and RHEL4, none of which
has the fix.  In the case of RHEL4, it would probably be enough to upgrade
python to 2.3.5.  For RHEL3, I guess a backport will be necessary.

-- Additional comment from bnocera on 2005-11-22 04:10 EST --
Created an attachment (id=121334)
python-no-symlink-loop-rhel3-2.patch

Backported from
http://cvs.sourceforge.net/viewcvs.py/python/python/dist/src/Lib/posixpath.py?rev=1.75&view=log


1)
Revision 1.67  - (view) (download) (as text) (annotate) - [select for diffs]
Sat Jul 10 22:55:13 2004 UTC (16 months, 1 week ago) by bcannon
Branch: MAIN
Changes since 1.66: +30 -6 lines
Diff to previous 1.66

posixpath.realpath() now detects symlink loops and returns the path just before

the loop starts.

Closes bug #930024.  Thanks AM Kuchling.

2)
Revision 1.71  - (view) (download) (as text) (annotate) - [select for diffs]
Sat Aug 14 15:01:53 2004 UTC (15 months, 1 week ago) by jlgijsbers
Branch: MAIN
Changes since 1.70: +9 -7 lines
Diff to previous 1.70

bug #990669: os.path.realpath() will resolve symlinks before normalizing the
path, as normalizing the path may alter the meaning of the path if it contains
symlinks.

Also add tests for infinite symlink loops and parent symlinks that need to be
resolved.

And 3)
Revision 1.74  - (view) (download) (as text) (annotate) - [select for diffs]
Fri Jun 3 14:24:43 2005 UTC (5 months, 2 weeks ago) by birkenfeld
Branch: MAIN
Changes since 1.73: +1 -1 lines
Diff to previous 1.73

Bug #1213894: os.path.realpath didn't resolve symlinks that were the first
component of the path.
Comment 1 Bastien Nocera 2005-11-22 10:18:27 UTC 
Created attachment 121336 [details]
python-no-symlink-loop-rhel4.patch

RHEL4 patch.
Comment 2 Steve 2006-04-12 13:13:24 UTC 
The client is asking for an update on this issue and has asked why this was not
fixed in the latest update release.
Comment 4 RHEL Program Management 2006-08-18 16:59:28 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Jeremy Katz 2007-01-09 21:31:07 UTC 
Fixed in python-2.3.4-14.4
Comment 11 Red Hat Bugzilla 2007-05-01 17:18:06 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0247.html
Comment 12 Stephen Warren 2007-06-12 17:37:04 UTC 
Unfortunately, the patch completely breaks correct operation of
os.path.realpath() in some scenarios:

Look at the existing symlink using ls:

$ ls -l /mnt/backup/hydrogen.gyanasoft.com/sequence/bkp.0
    /mnt/backup/hydrogen.gyanasoft.com/sequence/bkp.0 ->
                                ../data/bkp.2007.06.12.10.04

Ask Python about the symlink (python was run from the "backupplus" directory):

>>> os.path.realpath('/mnt/backup/hydrogen.gyanasoft.com/sequence/bkp.0')
'/home/swarren/cron_scripts/backupplus/data/bkp.2007.06.12.10.04'

The correct Python result above should have been:

/mnt/backup/hydrogen.gyanasoft.com/data/bkp.2007.06.12.10.04

Note that this occurs in python-2.3.4-14.4, but does not occur in
python-2.4.3-19.el5 from RHEL5.
Comment 13 Stephen Warren 2007-06-26 05:56:09 UTC 
Any traction on this bug? I would have expected a new release with the bogus
patch backed out to be released ASAP...