[issue14984] netrc module allows read of non-secured .netrc file
Barry A. Warsaw
report at bugs.python.org
Sun Sep 15 20:44:00 CEST 2013
Barry A. Warsaw added the comment:
On Sep 15, 2013, at 06:05 PM, R. David Murray wrote:
>For the security fix, the check should only be done if the file is the the
>default .netrc. (Which would also make your error message
>correct...otherwise it is not :) Also, it would make more sense for the 'prop
>=' to be inside the 'if posix'.
>
>Barry, with that detail fixed should I apply this to 2.6? (I'll tweak the
>error messages a bit, too.)
For the error message, I suggest including both os.getuid and prop.st_uid,
e.g. something like:
".netrc file is owned by (%d); should be (%d)" % (prop.st_uid, os.getuid())
NetrcParseError seems a little odd but I suppose I could justify incorrect
ownership or mode as a parse error. We definitely don't want to introduce a
new exception for 2.6.9, so the only other option is an OSError I think.
RDM, can you write any tests for this issue? Also, are any documentation
changes necessary? I think this should be a candidate for 2.6.9.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14984>
_______________________________________
More information about the Python-bugs-list
mailing list