fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation by gaborbernat · Pull Request #3013 · pypa/virtualenv (original) (raw)

icanhasmath added a commit to ActiveState/virtualenv that referenced this pull request

…6986)

virtualenv created its app data folder and lock directories with a check-then-act pattern (if not os.path.isdir(x): os.makedirs(x)). A local attacker can win the gap between the check and the create to plant a symlink and redirect those paths (cache poisoning, info disclosure, lock bypass/DoS).

Upstream fixed this in 20.36.2 (PR pypa#3013) with atomic os.makedirs(..., exist_ok=True). Python 2.7's os.makedirs has no exist_ok, so the create is attempted unconditionally and an already-existing target is tolerated, which removes the same race:

• app_data/init.py: drop the isdir pre-check; attempt makedirs and only log a failure if the folder still does not exist afterwards.
• util/lock.py (_CountedFileLock): drop the isdir pre-check; attempt makedirs and suppress OSError. (The second makedirs site in _lock_file already attempts-and-suppresses with no pre-check, so it was already race-free.)

The lock file open is separately hardened against symlinks by O_NOFOLLOW in filelock 3.1.0+security.1 (CVE-2025-68146).

Verified on Python 2.7.18: a missing nested lock parent is created and locked, a pre-existing parent is tolerated, and full venv creation still succeeds.

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com