diff options
| author |   Pascal Wittmann <mail@pascal-wittmann.de> | 2022-06-07 10:11:03 +0200 |
|---|---|---|
| committer |   Michał Górny <mgorny@gentoo.org> | 2022-08-10 09:45:47 +0200 |
| commit | febcce7e8b5999a0aa5ed3be3136c8988b7712d9 (patch) | |
| tree | aa620eca24e9c8dcee64244e9a45d69cd3316f50 | |
| parent | gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (diff) | |
| download | cpython-febcce7e8b5999a0aa5ed3be3136c8988b7712d9.tar.gz cpython-febcce7e8b5999a0aa5ed3be3136c8988b7712d9.tar.bz2 cpython-febcce7e8b5999a0aa5ed3be3136c8988b7712d9.zip | |
gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93463)gentoo-3.10.6_p2
Note: This change is not effective on Microsoft Windows.
Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.
The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.
This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.
| -rw-r--r-- | Lib/http/cookiejar.py | 4 | ||||
| -rw-r--r-- | Lib/test/test_http_cookiejar.py | 31 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2022-06-03-12-52-53.gh-issue-79096.YVoxgC.rst | 1 |
3 files changed, 34 insertions, 2 deletions
diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py index eaa76c26b9c..9ac5dcafe77 100644 --- a/Lib/http/cookiejar.py +++ b/Lib/http/cookiejar.py @@ -1895,7 +1895,7 @@ class LWPCookieJar(FileCookieJar): if self.filename is not None: filename = self.filename else: raise ValueError(MISSING_FILENAME_TEXT) - with open(filename, "w") as f: + with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f: # There really isn't an LWP Cookies 2.0 format, but this indicates # that there is extra information in here (domain_dot and # port_spec) while still being compatible with libwww-perl, I hope. @@ -2091,7 +2091,7 @@ class MozillaCookieJar(FileCookieJar): if self.filename is not None: filename = self.filename else: raise ValueError(MISSING_FILENAME_TEXT) - with open(filename, "w") as f: + with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f: f.write(NETSCAPE_HEADER_TEXT) now = time.time() for cookie in self: diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py index 9450104d0b9..15b281ae79b 100644 --- a/Lib/test/test_http_cookiejar.py +++ b/Lib/test/test_http_cookiejar.py @@ -1,6 +1,7 @@ """Tests for http/cookiejar.py.""" import os +import sys import re import test.support from test.support import os_helper @@ -17,6 +18,7 @@ from http.cookiejar import (time2isoz, http2time, iso2time, time2netscape, reach, is_HDN, domain_match, user_domain_match, request_path, request_port, request_host) +mswindows = (sys.platform == "win32") class DateTimeTests(unittest.TestCase): @@ -368,6 +370,35 @@ class FileCookieJarTests(unittest.TestCase): except OSError: pass self.assertEqual(c._cookies["www.acme.com"]["/"]["boo"].value, None) + @unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes") + def test_lwp_filepermissions(self): + # Cookie file should only be readable by the creator + filename = os_helper.TESTFN + c = LWPCookieJar() + interact_netscape(c, "http://www.acme.com/", 'boo') + try: + c.save(filename, ignore_discard=True) + status = os.stat(filename) + print(status.st_mode) + self.assertEqual(oct(status.st_mode)[-3:], '600') + finally: + try: os.unlink(filename) + except OSError: pass + + @unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes") + def test_mozilla_filepermissions(self): + # Cookie file should only be readable by the creator + filename = os_helper.TESTFN + c = MozillaCookieJar() + interact_netscape(c, "http://www.acme.com/", 'boo') + try: + c.save(filename, ignore_discard=True) + status = os.stat(filename) + self.assertEqual(oct(status.st_mode)[-3:], '600') + finally: + try: os.unlink(filename) + except OSError: pass + def test_bad_magic(self): # OSErrors (eg. file doesn't exist) are allowed to propagate filename = os_helper.TESTFN diff --git a/Misc/NEWS.d/next/Security/2022-06-03-12-52-53.gh-issue-79096.YVoxgC.rst b/Misc/NEWS.d/next/Security/2022-06-03-12-52-53.gh-issue-79096.YVoxgC.rst new file mode 100644 index 00000000000..9ec3335dc71 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-06-03-12-52-53.gh-issue-79096.YVoxgC.rst @@ -0,0 +1 @@ +LWPCookieJar and MozillaCookieJar create files with file mode 600 instead of 644 (Microsoft Windows is not affected) |