Issue 34915: LWPCookieJar.save() creates *.lwp file in 644 mode

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/79096

classification

Title:	LWPCookieJar.save() creates *.lwp file in 644 mode
Type:	security	Stage:
Components:	IO, Library (Lib)	Versions:	Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:		Nosy List:	aleskva, martin.panter, xtreak
Priority:	normal	Keywords:

Created on 2018-10-06 13:58 by aleskva, last changed 2022-04-11 14:59 by admin.

Messages (4)
msg327246 - (view)	Author: Ales Kvapil (aleskva)	Date: 2018-10-06 13:58
The LWPCookieJar.save() creates an *.lwp file containing session cookies in non-safe 644 mode (everyone can read it). This is not a secure behavior, especially for storing session keys or session cookies. The file should be created in 600 mode in my opinion. https://github.com/python/cpython/blob/3.7/Lib/http/cookiejar.py#L1872
msg339126 - (view)	Author: Karthikeyan Singaravelan (xtreak) *	Date: 2019-03-29 17:05
I guess this is a good choice and distutils stores .pypirc [0] in this manner that has username and password. [0] https://github.com/python/cpython/blob/2f54908afc5665937d763510b4430f10cf764641/Lib/distutils/config.py#L45
msg341422 - (view)	Author: Karthikeyan Singaravelan (xtreak) *	Date: 2019-05-05 06:41
Martin, any thoughts on this change?
msg388664 - (view)	Author: Martin Panter (martin.panter) *	Date: 2021-03-14 06:38
I don't have a strong opinion, but it does seem a sensible change that matches the high-level nature of the "cookiejar" module, with low risk of users relying on the current file permissions. On the other hand, the "curl" command seems to use the default mode when creating a cookies file (in Netscape a.k.a. Mozilla format): $ curl --cookie-jar cookies https://www.google.com/ [. . .] $ ls -l cookies -rw-r--r-- 1 vadmium vadmium 418 Mar 14 17:12 cookies The MozillaCookieJar class also seems to use the default file mode. I suppose it should be changed as well as the LWP class.

History
Date	User	Action	Args
2022-04-11 14:59:06	admin	set	github: 79096
2021-03-14 06:38:53	martin.panter	set	messages: + msg388664 components: - SSL
2020-10-21 16:39:48	christian.heimes	set	assignee: christian.heimes -> nosy: - christian.heimes versions: + Python 3.8, Python 3.9, Python 3.10, - Python 2.7, Python 3.4, Python 3.5
2019-05-05 06:41:05	xtreak	set	nosy: + martin.panter messages: + msg341422
2019-03-29 17:05:40	xtreak	set	nosy: + xtreak messages: + msg339126
2018-10-06 13:58:56	aleskva	create