[Jython-checkins] jython: Restrict accessibility of compiled files (fixes #2044 again).

jeff.allen jython-checkins at python.org
Sun Jan 26 15:59:24 EST 2020 

https://hg.python.org/jython/rev/7e917a237b7a
changeset:   8321:7e917a237b7a
user:        Jeff Allen <ja.py at farowl.co.uk>
date:        Sun Jan 26 15:03:50 2020 +0000
summary:
  Restrict accessibility of compiled files (fixes #2044 again).

CVE-2013-2027 points out that Jython may be run with umask 0, and then
files cached will be world-writable affecting later sessions. #2044
claimed this fixed by other work, but this change fixes the permissions
explicitly in the compiler and package manager.

files:
  NEWS                                                           |   1 +
  src/org/python/core/imp.java                                   |   4 +-
  src/org/python/core/packagecache/CachedJarsPackageManager.java |   4 +-
  src/org/python/core/util/FileUtil.java                         |  32 ++++++++++
  4 files changed, 38 insertions(+), 3 deletions(-)


diff --git a/NEWS b/NEWS
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@
 
 Jython 2.7.2b3
   Bugs fixed
+    - [ 2044 ] CVE-2013-2027 Current umask sets privileges of class files and cache
     - [ 2834 ] Import of Java classes is not thread safe
     - [ 2820 ] Import fails with UnicodeDecodeError if sys.path contains invalid UTF-8 bytes
     - [ 2826 ] Unicode hex string decode failure
diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java
--- a/src/org/python/core/imp.java
+++ b/src/org/python/core/imp.java
@@ -480,12 +480,12 @@
             if (man != null) {
                 man.checkWrite(compiledFilename);
             }
-            fop = new FileOutputStream(compiledFilename);
+            fop = new FileOutputStream(FileUtil.makePrivateRW(compiledFilename));
             fop.write(compiledSource);
             fop.close();
             return compiledFilename;
         } catch (IOException | SecurityException exc) {
-            // If we can't write the cache file, just logger and continue
+            // If we can't write the cache file, just log and continue
             logger.log(Level.FINE, "Unable to write to source cache file ''{0}'' due to {1}",
                     new Object[] {compiledFilename, exc});
             return null;
diff --git a/src/org/python/core/packagecache/CachedJarsPackageManager.java b/src/org/python/core/packagecache/CachedJarsPackageManager.java
--- a/src/org/python/core/packagecache/CachedJarsPackageManager.java
+++ b/src/org/python/core/packagecache/CachedJarsPackageManager.java
@@ -5,6 +5,7 @@
 
 import org.python.core.Options;
 import org.python.core.PyJavaPackage;
+import org.python.core.util.FileUtil;
 import org.python.util.Generic;
 
 import java.io.BufferedInputStream;
@@ -773,7 +774,7 @@
      * overridden.
      */
     protected DataOutputStream outOpenIndex() throws IOException {
-        File indexFile = new File(this.cachedir, "packages.idx");
+        File indexFile = FileUtil.makePrivateRW(new File(this.cachedir, "packages.idx"));
         FileOutputStream ostream = new FileOutputStream(indexFile);
         return new DataOutputStream(new BufferedOutputStream(ostream));
     }
@@ -821,6 +822,7 @@
                 // That name is in use: make up another one.
                 file = new File(this.cachedir, jarname + "$" + index + ".pkc");
             }
+            file = FileUtil.makePrivateRW(file);
             entry.cachefile = file.getCanonicalPath();
 
         } else {
diff --git a/src/org/python/core/util/FileUtil.java b/src/org/python/core/util/FileUtil.java
--- a/src/org/python/core/util/FileUtil.java
+++ b/src/org/python/core/util/FileUtil.java
@@ -2,6 +2,7 @@
 package org.python.core.util;
 
 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -90,4 +91,35 @@
         }
         return out.toByteArray();
     }
+
+    /**
+     * Create the named file (if necessary) and give just the owner read-write access.
+     *
+     * @param filename to create/control
+     * @return {@code File} object for subsequent open
+     * @throws IOException
+     */
+    public static File makePrivateRW(String filename) throws IOException {
+        return makePrivateRW(new File(filename));
+    }
+
+    /**
+     * Create the identified file (if necessary) and give just the owner read-write access.
+     *
+     * @param file to create/control
+     * @return {@code File} object for subsequent open
+     * @throws IOException
+     */
+    public static File makePrivateRW(File file) throws IOException {
+        file.createNewFile();
+        // Remove permissions for all
+        file.setReadable(false, false);
+        file.setWritable(false, false);
+        file.setExecutable(false, false);
+        // Add permissions for owner
+        file.setReadable(true);
+        file.setWritable(true);
+        return file;
+    }
+
 }

-- 
Repository URL: https://hg.python.org/jython

More information about the Jython-checkins mailing list