[New-bugs-announce] [issue41375] `mode` security concern
YoSTEALTH
report at bugs.python.org
Thu Jul 23 11:07:20 EDT 2020
New submission from YoSTEALTH <ritesh at stealthcentral.com>:
import os
import stat
import os.path
def problem(tmp_path):
# result:
# -------
# check: False
# mode: 416
# create temp file
fd = os.open(tmp_path, os.O_CREAT, 0o660)
os.close(fd)
# Directory is effected as well
# os.mkdir(tmp_path, 0o660)
def solution(tmp_path):
# result:
# -------
# check: True
# mode: 432
old_umask = os.umask(0)
# create temp file
fd = os.open(tmp_path, os.O_CREAT, 0o660)
os.close(fd)
# create temp dir
# os.mkdir(tmp_path, 0o660)
os.umask(old_umask)
def main():
tmp_path = '_testing-chmod'
problem(tmp_path)
# solution(tmp_path)
try:
s = os.stat(tmp_path)
mode = stat.S_IMODE(s.st_mode)
print('check:', mode == 0o660)
print('mode:', mode) # this should be: 432
finally:
# delete temp file
try:
os.unlink(tmp_path)
except IsADirectoryError:
os.rmdir(tmp_path)
if __name__ == '__main__':
main()
This result is not same for all os and distro, on multiple linux system for example the results will be different. I think Python should account for such behavior by default as it can lead to file/dir creation with security issues.
----------
components: IO
messages: 374138
nosy: YoSTEALTH
priority: normal
severity: normal
status: open
title: `mode` security concern
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41375>
_______________________________________
More information about the New-bugs-announce
mailing list