gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93463)gentoo-3.9-7.3.11

Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue #79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place. (backported to 3.9 by Michał Górny)
author: Pascal Wittmann <mail@pascal-wittmann.de> 2022-06-07 10:11:03 +0200
committer: Michał Górny <mgorny@gentoo.org> 2022-12-30 12:16:43 +0100
commit: 52858e6cd3212c51aa551057f5e76e948bd99f90 (patch)
tree: 36b179acb7f478e4f0d65b910b68a438ac0bda1b
parent: bpo-42856: Add --with-wheel-pkg-dir=PATH configure option (GH-24210) (diff)
download: pypy-52858e6cd3212c51aa551057f5e76e948bd99f90.tar.gz
pypy-52858e6cd3212c51aa551057f5e76e948bd99f90.tar.bz2
pypy-52858e6cd3212c51aa551057f5e76e948bd99f90.zip
2 files changed, 33 insertions, 2 deletions
diff --git a/lib-python/3/http/cookiejar.py b/lib-python/3/http/cookiejar.py
index 47ed5c3d64..a2c66aa5ff 100644
--- a/lib-python/3/http/cookiejar.py
+++ b/lib-python/3/http/cookiejar.py
@@ -1887,7 +1887,7 @@ class LWPCookieJar(FileCookieJar):
             if self.filename is not None: filename = self.filename
             else: raise ValueError(MISSING_FILENAME_TEXT)
 
-        with open(filename, "w") as f:
+        with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             # There really isn't an LWP Cookies 2.0 format, but this indicates
             # that there is extra information in here (domain_dot and
             # port_spec) while still being compatible with libwww-perl, I hope.
@@ -2082,7 +2082,7 @@ class MozillaCookieJar(FileCookieJar):
             if self.filename is not None: filename = self.filename
             else: raise ValueError(MISSING_FILENAME_TEXT)
 
-        with open(filename, "w") as f:
+        with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             f.write(self.header)
             now = time.time()
             for cookie in self:
diff --git a/lib-python/3/test/test_http_cookiejar.py b/lib-python/3/test/test_http_cookiejar.py
index 83945509d7..99e57f7d05 100644
--- a/lib-python/3/test/test_http_cookiejar.py
+++ b/lib-python/3/test/test_http_cookiejar.py
@@ -1,6 +1,7 @@
 """Tests for http/cookiejar.py."""
 
 import os
+import sys
 import re
 import test.support
 import time
@@ -15,6 +16,7 @@ from http.cookiejar import (time2isoz, http2time, iso2time, time2netscape,
      reach, is_HDN, domain_match, user_domain_match, request_path,
      request_port, request_host)
 
+mswindows = (sys.platform == "win32")
 
 class DateTimeTests(unittest.TestCase):
 
@@ -366,6 +368,35 @@ class FileCookieJarTests(unittest.TestCase):
             except OSError: pass
         self.assertEqual(c._cookies["www.acme.com"]["/"]["boo"].value, None)
 
+    @unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes")
+    def test_lwp_filepermissions(self):
+        # Cookie file should only be readable by the creator
+        filename = test.support.TESTFN
+        c = LWPCookieJar()
+        interact_netscape(c, "http://www.acme.com/", 'boo')
+        try:
+            c.save(filename, ignore_discard=True)
+            status = os.stat(filename)
+            print(status.st_mode)
+            self.assertEqual(oct(status.st_mode)[-3:], '600')
+        finally:
+            try: os.unlink(filename)
+            except OSError: pass
+
+    @unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes")
+    def test_mozilla_filepermissions(self):
+        # Cookie file should only be readable by the creator
+        filename = test.support.TESTFN
+        c = MozillaCookieJar()
+        interact_netscape(c, "http://www.acme.com/", 'boo')
+        try:
+            c.save(filename, ignore_discard=True)
+            status = os.stat(filename)
+            self.assertEqual(oct(status.st_mode)[-3:], '600')
+        finally:
+            try: os.unlink(filename)
+            except OSError: pass
+
     def test_bad_magic(self):
         # OSErrors (eg. file doesn't exist) are allowed to propagate
         filename = test.support.TESTFN
author	Pascal Wittmann <mail@pascal-wittmann.de>	2022-06-07 10:11:03 +0200
committer	Michał Górny <mgorny@gentoo.org>	2022-12-30 12:16:43 +0100
commit	52858e6cd3212c51aa551057f5e76e948bd99f90 (patch)
tree	36b179acb7f478e4f0d65b910b68a438ac0bda1b
parent	bpo-42856: Add --with-wheel-pkg-dir=PATH configure option (GH-24210) (diff)
download	pypy-52858e6cd3212c51aa551057f5e76e948bd99f90.tar.gz pypy-52858e6cd3212c51aa551057f5e76e948bd99f90.tar.bz2 pypy-52858e6cd3212c51aa551057f5e76e948bd99f90.zip