Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit2084f94

Browse files
ambvpSubtiran
authored
[3.11]gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93463) (GH-93636)
Note: This change is not effective on Microsoft Windows.Cookies can store sensitive information and should therefore be protectedagainst unauthorized third parties. This is also described in issue#79096.The filesystem permissions are currently set to 644, everyone can read thefile. This commit changes the permissions to 600, only the creater of the filecan read and modify it. This improves security, because it reduces the attacksurface. Now the attacker needs control of the user that created the cookie ora ways to circumvent the filesystems permissions.This change is backwards incompatible. Systems that rely on world-readablecookies will breake. However, one could argue that those are misconfigured inthe first place.Co-authored-by: Łukasz Langa <lukasz@langa.pl>Co-authored-by: Pascal Wittmann <mail@pascal-wittmann.de>Co-authored-by: Christian Heimes <christian@python.org>
1 parent92f8786 commit2084f94

File tree

3 files changed

+39
-11
lines changed

3 files changed

+39
-11
lines changed

‎Lib/http/cookiejar.py‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1890,7 +1890,7 @@ def save(self, filename=None, ignore_discard=False, ignore_expires=False):
18901890
ifself.filenameisnotNone:filename=self.filename
18911891
else:raiseValueError(MISSING_FILENAME_TEXT)
18921892

1893-
withopen(filename,"w")asf:
1893+
withos.fdopen(os.open(filename,os.O_CREAT|os.O_WRONLY,0o600),'w')asf:
18941894
# There really isn't an LWP Cookies 2.0 format, but this indicates
18951895
# that there is extra information in here (domain_dot and
18961896
# port_spec) while still being compatible with libwww-perl, I hope.
@@ -2086,7 +2086,7 @@ def save(self, filename=None, ignore_discard=False, ignore_expires=False):
20862086
ifself.filenameisnotNone:filename=self.filename
20872087
else:raiseValueError(MISSING_FILENAME_TEXT)
20882088

2089-
withopen(filename,"w")asf:
2089+
withos.fdopen(os.open(filename,os.O_CREAT|os.O_WRONLY,0o600),'w')asf:
20902090
f.write(NETSCAPE_HEADER_TEXT)
20912091
now=time.time()
20922092
forcookieinself:

‎Lib/test/test_http_cookiejar.py‎

Lines changed: 36 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
"""Tests for http/cookiejar.py."""
22

33
importos
4+
importstat
5+
importsys
46
importre
57
importtest.support
68
fromtest.supportimportos_helper
@@ -17,6 +19,7 @@
1719
reach,is_HDN,domain_match,user_domain_match,request_path,
1820
request_port,request_host)
1921

22+
mswindows= (sys.platform=="win32")
2023

2124
classDateTimeTests(unittest.TestCase):
2225

@@ -364,10 +367,37 @@ def test_lwp_valueless_cookie(self):
364367
c=LWPCookieJar()
365368
c.load(filename,ignore_discard=True)
366369
finally:
367-
try:os.unlink(filename)
368-
exceptOSError:pass
370+
os_helper.unlink(filename)
369371
self.assertEqual(c._cookies["www.acme.com"]["/"]["boo"].value,None)
370372

373+
@unittest.skipIf(mswindows,"windows file permissions are incompatible with file modes")
374+
@os_helper.skip_unless_working_chmod
375+
deftest_lwp_filepermissions(self):
376+
# Cookie file should only be readable by the creator
377+
filename=os_helper.TESTFN
378+
c=LWPCookieJar()
379+
interact_netscape(c,"http://www.acme.com/",'boo')
380+
try:
381+
c.save(filename,ignore_discard=True)
382+
st=os.stat(filename)
383+
self.assertEqual(stat.S_IMODE(st.st_mode),0o600)
384+
finally:
385+
os_helper.unlink(filename)
386+
387+
@unittest.skipIf(mswindows,"windows file permissions are incompatible with file modes")
388+
@os_helper.skip_unless_working_chmod
389+
deftest_mozilla_filepermissions(self):
390+
# Cookie file should only be readable by the creator
391+
filename=os_helper.TESTFN
392+
c=MozillaCookieJar()
393+
interact_netscape(c,"http://www.acme.com/",'boo')
394+
try:
395+
c.save(filename,ignore_discard=True)
396+
st=os.stat(filename)
397+
self.assertEqual(stat.S_IMODE(st.st_mode),0o600)
398+
finally:
399+
os_helper.unlink(filename)
400+
371401
deftest_bad_magic(self):
372402
# OSErrors (eg. file doesn't exist) are allowed to propagate
373403
filename=os_helper.TESTFN
@@ -391,8 +421,7 @@ def test_bad_magic(self):
391421
c=cookiejar_class()
392422
self.assertRaises(LoadError,c.load,filename)
393423
finally:
394-
try:os.unlink(filename)
395-
exceptOSError:pass
424+
os_helper.unlink(filename)
396425

397426
classCookieTests(unittest.TestCase):
398427
# XXX
@@ -496,7 +525,7 @@ def test_missing_value(self):
496525
c=MozillaCookieJar(filename)
497526
c.revert(ignore_expires=True,ignore_discard=True)
498527
finally:
499-
os.unlink(c.filename)
528+
os_helper.unlink(c.filename)
500529
# cookies unchanged apart from lost info re. whether path was specified
501530
self.assertEqual(
502531
repr(c),
@@ -1766,8 +1795,7 @@ def test_rejection(self):
17661795
c=LWPCookieJar(policy=pol)
17671796
c.load(filename,ignore_discard=True)
17681797
finally:
1769-
try:os.unlink(filename)
1770-
exceptOSError:pass
1798+
os_helper.unlink(filename)
17711799

17721800
self.assertEqual(old,repr(c))
17731801

@@ -1826,8 +1854,7 @@ def save_and_restore(cj, ignore_discard):
18261854
DefaultCookiePolicy(rfc2965=True))
18271855
new_c.load(ignore_discard=ignore_discard)
18281856
finally:
1829-
try:os.unlink(filename)
1830-
exceptOSError:pass
1857+
os_helper.unlink(filename)
18311858
returnnew_c
18321859

18331860
new_c=save_and_restore(c,True)
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
LWPCookieJar and MozillaCookieJar create files with file mode 600 instead of 644 (Microsoft Windows is not affected)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp