[Secure-testing-team] Bug#615118: python2.6: distutils creates .pypirc insecurely
Jakub Wilk
jwilk at debian.org
Fri Feb 25 21:07:57 UTC 2011
Package: python2.6
Version: 2.6.6-8
Severity: important
Tags: security
distutils uses this method to create .pypirc:
def _store_pypirc(self, username, password):
"""Creates a default .pypirc file."""
rc = self._get_rc_file()
f = open(rc, 'w')
try:
f.write(DEFAULT_PYPIRC % (username, password))
finally:
f.close()
try:
os.chmod(rc, 0600)
except OSError:
# should do something better here
pass
There is a tiny timing window between write() and chmod() calls in which
the file (with user's password) is world-readable.
--
Jakub Wilk
More information about the Secure-testing-team
mailing list