From b7d2ebdd4b9f4b757bdeda921e122a7b430131b6 Mon Sep 17 00:00:00 2001 From: AZero13 Date: Sat, 20 Dec 2025 01:34:57 -0500 Subject: [PATCH 1/3] gh-143010: Prevent a TOCTOU issue by gh-143010: Prevent a TOCTOU issue by only calling open once We can literally just use open(path, 'xb+') for _create_carefully. --- Lib/mailbox.py | 6 +----- .../Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst | 1 + 2 files changed, 2 insertions(+), 5 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst diff --git a/Lib/mailbox.py b/Lib/mailbox.py index 4a44642765cc9a..65923e9c5de324 100644 --- a/Lib/mailbox.py +++ b/Lib/mailbox.py @@ -2181,11 +2181,7 @@ def _unlock_file(f): def _create_carefully(path): """Create a file if it doesn't exist and open for reading and writing.""" - fd = os.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, 0o666) - try: - return open(path, 'rb+') - finally: - os.close(fd) + return open(path, 'xb+') def _create_temporary(path): """Create a temp file based on path and open for reading and writing.""" diff --git a/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst b/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst new file mode 100644 index 00000000000000..cdc554b41c988d --- /dev/null +++ b/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst @@ -0,0 +1 @@ +_create_carefully: Prevent a TOCTOU by simplifying. From 879f581ec1efae3bbfa4efe74143249238883cde Mon Sep 17 00:00:00 2001 From: AZero13 Date: Sun, 21 Dec 2025 14:21:57 -0500 Subject: [PATCH 2/3] Fix News --- .../next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst b/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst index cdc554b41c988d..f57bc28cd9ac24 100644 --- a/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst +++ b/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst @@ -1 +1 @@ -_create_carefully: Prevent a TOCTOU by simplifying. +mailbox: Fixed a bug in :mod:mailbox where the precise timing of an external event could result in the library opening an existing file instead of a file it expected to create. From 7b1b9f2c04bc25cee83e9fc2a6d5c3d32867266e Mon Sep 17 00:00:00 2001 From: AZero13 Date: Sun, 21 Dec 2025 18:21:47 -0500 Subject: [PATCH 3/3] Update 2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst Co-authored-by: sobolevn --- .../next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst b/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst index f57bc28cd9ac24..4914d0b7be727b 100644 --- a/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst +++ b/Misc/NEWS.d/next/Library/2025-12-20-01-49-02.gh-issue-143010._-SWX0.rst @@ -1 +1 @@ -mailbox: Fixed a bug in :mod:mailbox where the precise timing of an external event could result in the library opening an existing file instead of a file it expected to create. +Fixed a bug in :mod:`mailbox` where the precise timing of an external event could result in the library opening an existing file instead of a file it expected to create.