[New-bugs-announce] [issue34915] LWPCookieJar.save() creates *.lwp file in 644 mode
Ales Kvapil
report at bugs.python.org
Sat Oct 6 09:58:56 EDT 2018
New submission from Ales Kvapil <aleskva at mailinator.com>:
The LWPCookieJar.save() creates an *.lwp file containing session cookies in non-safe 644 mode (everyone can read it). This is not a secure behavior, especially for storing session keys or session cookies. The file should be created in 600 mode in my opinion.
https://github.com/python/cpython/blob/3.7/Lib/http/cookiejar.py#L1872
----------
assignee: christian.heimes
components: IO, Library (Lib), SSL
messages: 327246
nosy: aleskva, christian.heimes
priority: normal
severity: normal
status: open
title: LWPCookieJar.save() creates *.lwp file in 644 mode
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue34915>
_______________________________________
More information about the New-bugs-announce
mailing list