Message 215026 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	desrt, georg.brandl, larry, ned.deily, vstinner
Date	2014-03-28.09:10:52
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1395997853.22.0.324664220296.issue21082@psf.upfronthosting.co.za>
In-reply-to

Content
The shell command "umask" calls umask(022) to get the current umask, and then call umask() with result of the first call. 022 is the default umask, it's probably safer to call umask(0o22) in _get_masked_mode() instead of umask(0). Attached patch makes this change. If you change something, it should be backported to 3.2, 3.3 and 3.4, because I agree that it affects the security.

The shell command "umask" calls umask(022) to get the current umask, and then call umask() with result of the first call.

022 is the default umask, it's probably safer to call umask(0o22) in _get_masked_mode() instead of umask(0).

Attached patch makes this change.

If you change something, it should be backported to 3.2, 3.3 and 3.4, because I agree that it affects the security.

History
Date	User	Action	Args
2014-03-28 09:10:53	vstinner	set	recipients: + vstinner, georg.brandl, larry, ned.deily, desrt
2014-03-28 09:10:53	vstinner	set	messageid: <1395997853.22.0.324664220296.issue21082@psf.upfronthosting.co.za>
2014-03-28 09:10:53	vstinner	link	issue21082 messages
2014-03-28 09:10:52	vstinner	create