Skip to content

gh-143010: Prevent a TOCTOU issue by only calling open once #143011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AZero13 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

gh-143010: Prevent a TOCTOU issue by only calling open once #143011

AZero13 wants to merge 3 commits into from

Conversation

@AZero13
Copy link
Contributor

@AZero13 AZero13 commented Dec 20, 2025
edited by bedevere-app bot
Loading

We can literally just use open(path, 'xb+') for _create_carefully

@AZero13 AZero13 requested a review from a team as a code owner December 20, 2025 06:49
@bedevere-app bedevere-app bot mentioned this pull request Dec 20, 2025
Open
@AZero13 AZero13 changed the title gh-143010: Prevent a TOCTOU issue by reusing the fd gh-143010: Prevent a TOCTOU issue by only calling open once Dec 20, 2025
@AZero13
pythongh-143010: Prevent a TOCTOU issue by pythongh-143010: Prevent a…
b7d2ebd 
… TOCTOU issue by only calling open once

We can literally just use open(path, 'xb+') for _create_carefully.
sobolevn
sobolevn reviewed Dec 20, 2025
View reviewed changes
Copy link
Member

@sobolevn sobolevn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please start with a failing test that can show us what's wrong?

@AZero13
Copy link
Contributor Author

AZero13 commented Dec 20, 2025
edited
Loading

Can you please start with a failing test that can show us what's wrong?

This is going to be very difficult given the fact it has to be precisely timed to the nanosecond as it is between opening of the file descriptor to the opening of the path again.

@AZero13
Copy link
Contributor Author

AZero13 commented Dec 21, 2025

By the way, this code is older than the "x" was added in 2012, which is why this wasn't used in the first place.

@bitdancer
Copy link
Member

bitdancer commented Dec 21, 2025

I think that you can create a test by mocking open with a side_effect that munges things before making the real open call. Is that worth doing?

bitdancer
bitdancer requested changes Dec 21, 2025
View reviewed changes
@bedevere-app
Copy link

bedevere-app bot commented Dec 21, 2025

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@AZero13 @sobolevn
Update 2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst
7b1b9f2 
Co-authored-by: sobolevn <mail@sobolevn.me>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sobolevn sobolevn sobolevn left review comments

@bitdancer bitdancer bitdancer requested changes

Assignees

No one assigned

Labels

awaiting changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AZero13 @bitdancer @sobolevn