[issue21082] _get_masked_mode in os.makedirs() is a serious security problem
Ryan Lortie
report at bugs.python.org
Fri Mar 28 08:04:06 CET 2014
New submission from Ryan Lortie:
http://bugs.python.org/file19849/mkdirs.tr.diff introduced a patch with this code in it:
+def _get_masked_mode(mode):
+ mask = umask(0)
+ umask(mask)
+ return mode & ~mask
This changes the umask of the entire process. If another thread manages to create a file between those two calls then it will be world read/writable, regardless of the original umask of the process.
This is not theoretical: I discovered this bug by observing it happen.
----------
components: Library (Lib)
messages: 215020
nosy: desrt
priority: normal
severity: normal
status: open
title: _get_masked_mode in os.makedirs() is a serious security problem
type: security
versions: Python 3.3
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue21082>
_______________________________________
More information about the Python-bugs-list
mailing list