[New-bugs-announce] [issue41375] `mode` security concern

YoSTEALTH report at bugs.python.org
Thu Jul 23 11:07:20 EDT 2020


New submission from YoSTEALTH <ritesh at stealthcentral.com>:

import os
import stat
import os.path


def problem(tmp_path):
    # result:
    # -------
    # check: False
    # mode: 416

    # create temp file
    fd = os.open(tmp_path, os.O_CREAT, 0o660)
    os.close(fd)

    # Directory is effected as well
    # os.mkdir(tmp_path, 0o660)


def solution(tmp_path):
    # result:
    # -------
    # check: True
    # mode: 432

    old_umask = os.umask(0)

    # create temp file
    fd = os.open(tmp_path, os.O_CREAT, 0o660)
    os.close(fd)

    # create temp dir
    # os.mkdir(tmp_path, 0o660)

    os.umask(old_umask)


def main():
    tmp_path = '_testing-chmod'

    problem(tmp_path)
    # solution(tmp_path)

    try:
        s = os.stat(tmp_path)
        mode = stat.S_IMODE(s.st_mode)
        print('check:', mode == 0o660)
        print('mode:', mode)  # this should be: 432
    finally:
        # delete temp file
        try:
            os.unlink(tmp_path)
        except IsADirectoryError:
            os.rmdir(tmp_path)


if __name__ == '__main__':
    main()


This result is not same for all os and distro, on multiple linux system for example the results will be different. I think Python should account for such behavior by default as it can lead to file/dir creation with security issues.

----------
components: IO
messages: 374138
nosy: YoSTEALTH
priority: normal
severity: normal
status: open
title: `mode` security concern

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41375>
_______________________________________


More information about the New-bugs-announce mailing list