This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: creates *.lwp file in 644 mode
Type: security Stage:
Components: IO, Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: aleskva, martin.panter, xtreak
Priority: normal Keywords:

Created on 2018-10-06 13:58 by aleskva, last changed 2022-04-11 14:59 by admin.

Messages (4)
msg327246 - (view) Author: Ales Kvapil (aleskva) Date: 2018-10-06 13:58
The creates an *.lwp file containing session cookies in non-safe 644 mode (everyone can read it). This is not a secure behavior, especially for storing session keys or session cookies. The file should be created in 600 mode in my opinion.
msg339126 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2019-03-29 17:05
I guess this is a good choice and distutils stores .pypirc [0] in this manner that has username and password. 

msg341422 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2019-05-05 06:41
Martin, any thoughts on this change?
msg388664 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2021-03-14 06:38
I don't have a strong opinion, but it does seem a sensible change that matches the high-level nature of the "cookiejar" module, with low risk of users relying on the current file permissions. On the other hand, the "curl" command seems to use the default mode when creating a cookies file (in Netscape a.k.a. Mozilla format):

$ curl --cookie-jar cookies
[. . .]
$ ls -l cookies
-rw-r--r-- 1 vadmium vadmium 418 Mar 14 17:12 cookies

The MozillaCookieJar class also seems to use the default file mode. I suppose it should be changed as well as the LWP class.
Date User Action Args
2022-04-11 14:59:06adminsetgithub: 79096
2021-03-14 06:38:53martin.pantersetmessages: + msg388664
components: - SSL
2020-10-21 16:39:48christian.heimessetassignee: christian.heimes ->

nosy: - christian.heimes
versions: + Python 3.8, Python 3.9, Python 3.10, - Python 2.7, Python 3.4, Python 3.5
2019-05-05 06:41:05xtreaksetnosy: + martin.panter
messages: + msg341422
2019-03-29 17:05:40xtreaksetnosy: + xtreak
messages: + msg339126
2018-10-06 13:58:56aleskvacreate