Every version of the documentation I've seen associated
with the os.access() function neglects to mention that
its use is almost always a security vulnerability.
For the versions of python that are still maintained,
I'd like to see the documentation for this function
expanded to include a paragraph very similar to the
warning given in my system's access(2) manpage:
Using access to check if a user is authorized to e.g.,
open a file before actually doing so using open(2)
creates a security hole, because the user might exploit
the short time interval between checking and opening
the file to manipulate it.
(This paragraph comes from a Debian system; if it is
more work to validate the license on this manpage for
including this paragraph here, I'd be happy to write
some new content under whatever license is required to
get a warning included.)
Of course, there are web-based documents derived from
the module's built-in documentation. It'd be keen if
whoever fixes this in the module could poke the website
document maintainer and ask them to regenerate the content.
Thanks!
|