Most FTP clients require that the .netrc file be owned by the user and readable/writable by nobody other than the user (ie. permissions set to 0400 or 0600).
The netrc module doesn't do this kind of checking, allowing the use a .netrc file written or modified by somebody else.

This seems like something we should fix for the default file read.  There is a backward compatibility concern, but I think the security aspect overrides that.

Do you agree that the attached patch could be a practical solution ?
The patch is for the 2.6 version of the lib. Transposition to other versions should be trivial.

If we don't want to break backward compatibility, the solution is to add a optional behavior flag argument,
something like def __init__(self, file=None, sec_mode=False):
and have the default value be False for old versions and True for 3.3 and further.

Thanks for the patch.

I think the extra check should be done unconditionally in the case where we've looked up the default .netrc file.  Adding a feature to 3.3 to provide an optional check for other files (with default False) would then be an additional enhancement, and I think a good one.  That should be a separate patch, probably even a separate issue.

I don't think the parse error is the right thing to raise, but I'm not sure what is.  An OSError, perhaps?

I'm adding the 2.6 release manager to see if he thinks this is of sufficient importance to go into a 2.6 release.