]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3e4a3dc)
Create ~/.pypirc securely (#13512).
authorÉric Araujo <aeric@mtlpy.org>
Sat, 8 Dec 2012 19:51:47 +0000 (14:51 -0500)
committerÉric Araujo <aeric@mtlpy.org>
Sat, 8 Dec 2012 19:51:47 +0000 (14:51 -0500)
There was a window between the write and the chmod where the user’s
password would be exposed, depending on default permissions.  Philip
Jenvey’s patch fixes it.

Lib/distutils/config.py patch | blob | history
Misc/ACKS patch | blob | history
Misc/NEWS patch | blob | history

diff --git a/Lib/distutils/config.py b/Lib/distutils/config.py
index 5b625f3f7d2198fa2480ac88df403e6f8692fa57..1fd53346e96d542c9845b9ad19165e394016d6b2 100644 (file)
--- a/Lib/distutils/config.py
+++ b/Lib/distutils/config.py
@@ -4,7 +4,6 @@ Provides the PyPIRCCommand class, the base class for the command classes
 that uses .pypirc in the distutils.command package.
 """
 import os
-import sys
 from configparser import ConfigParser
 
 from distutils.cmd import Command
@@ -43,16 +42,8 @@ class PyPIRCCommand(Command):
     def _store_pypirc(self, username, password):
         """Creates a default .pypirc file."""
         rc = self._get_rc_file()
-        f = open(rc, 'w')
-        try:
+        with os.fdopen(os.open(rc, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             f.write(DEFAULT_PYPIRC % (username, password))
-        finally:
-            f.close()
-        try:
-            os.chmod(rc, 0o600)
-        except OSError:
-            # should do something better here
-            pass
 
     def _read_pypirc(self):
         """Reads the .pypirc file."""
diff --git a/Misc/ACKS b/Misc/ACKS
index 9e662f6a73175bf8264b02c038d75ec7a488108f..05670693d8cd5843af5198ec4bc1332523cb01b4 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -512,6 +512,7 @@ Zbyszek Jędrzejewski-Szmek
 Drew Jenkins
 Flemming Kjær Jensen
 Philip H. Jensen
+Philip Jenvey
 MunSic Jeong
 Chris Jerdonek
 Pedro Diaz Jimenez
diff --git a/Misc/NEWS b/Misc/NEWS
index 02e4d4882d545fbd7514e88b578fdae2897ba97b..3adc531ab659a29a9fb2cedde596abfe1458c5a3 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -177,6 +177,9 @@ Library
 
 - Issue #16628: Fix a memory leak in ctypes.resize().
 
+- Issue #13512: Create ~/.pypirc securely (CVE-2011-4944).  Initial patch by
+  Philip Jenvey, tested by Mageia and Debian.
+
 - Issue #7719: Make distutils ignore ``.nfs*`` files instead of choking later
   on.  Initial patch by SilentGhost and Jeff Ramnani.
 
Unnamed repository; edit this file 'description' to name the repository.