[Python-checkins] cpython (3.2): Create ~/.pypirc securely (#13512).
eric.araujo
python-checkins at python.org
Sun Dec 9 04:57:23 CET 2012
http://hg.python.org/cpython/rev/4a2814f24a10
changeset: 80769:4a2814f24a10
branch: 3.2
user: Éric Araujo <aeric at mtlpy.org>
date: Sat Dec 08 14:51:47 2012 -0500
summary:
Create ~/.pypirc securely (#13512).
There was a window between the write and the chmod where the user’s
password would be exposed, depending on default permissions. Philip
Jenvey’s patch fixes it.
files:
Lib/distutils/config.py | 11 +----------
Misc/ACKS | 1 +
Misc/NEWS | 3 +++
3 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/Lib/distutils/config.py b/Lib/distutils/config.py
--- a/Lib/distutils/config.py
+++ b/Lib/distutils/config.py
@@ -4,7 +4,6 @@
that uses .pypirc in the distutils.command package.
"""
import os
-import sys
from configparser import ConfigParser
from distutils.cmd import Command
@@ -43,16 +42,8 @@
def _store_pypirc(self, username, password):
"""Creates a default .pypirc file."""
rc = self._get_rc_file()
- f = open(rc, 'w')
- try:
+ with os.fdopen(os.open(rc, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
f.write(DEFAULT_PYPIRC % (username, password))
- finally:
- f.close()
- try:
- os.chmod(rc, 0o600)
- except OSError:
- # should do something better here
- pass
def _read_pypirc(self):
"""Reads the .pypirc file."""
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -512,6 +512,7 @@
Drew Jenkins
Flemming Kjær Jensen
Philip H. Jensen
+Philip Jenvey
MunSic Jeong
Chris Jerdonek
Pedro Diaz Jimenez
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -177,6 +177,9 @@
- Issue #16628: Fix a memory leak in ctypes.resize().
+- Issue #13512: Create ~/.pypirc securely (CVE-2011-4944). Initial patch by
+ Philip Jenvey, tested by Mageia and Debian.
+
- Issue #7719: Make distutils ignore ``.nfs*`` files instead of choking later
on. Initial patch by SilentGhost and Jeff Ramnani.
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list