Proposal: removeDirectoryRecursive should not follow symlinks

Bardur Arantsson spam at scientician.net
Tue Jan 6 07:21:13 UTC 2015


On 2015-01-06 08:03, Ganesh Sittampalam wrote:
> On 06/01/2015 05:30, Greg Weber wrote:
> 
>> When I suggested deprecation, I assumed that following a symlink was a
>> desirable behavior for someone. If it is not and it is 100% the case
>> that this behavior is a defect, then this is just a bugfix then
>> deprecation is not needed.
> 
> My general feeling is that it is just a bug.
> 

That's what I thought too -- it's a typical rookie mistake to forget to
check if "isDirecory?" will return "true" for symlinks to directories.
But the documentation actually states the expected behavior correctly --
it's not nearly explicit enough about how dangerous it is, but the
documentation is technically correct.

However, even so, this is CVE-worthy behavior on its own (as pointed out
by Brandon), and should be removed pronto. Perhaps with new minor
versions for all affected major versions (excellent point by Greg
Weber), depending on how much work that is.




More information about the Libraries mailing list