[issue34915] LWPCookieJar.save() creates *.lwp file in 644 mode

2021-03-13 Thread Martin Panter 


Martin Panter  added the comment:

I don't have a strong opinion, but it does seem a sensible change that matches 
the high-level nature of the "cookiejar" module, with low risk of users relying 
on the current file permissions. On the other hand, the "curl" command seems to 
use the default mode when creating a cookies file (in Netscape a.k.a. Mozilla 
format):

$ curl --cookie-jar cookies https://www.google.com/
[. . .]
$ ls -l cookies
-rw-r--r-- 1 vadmium vadmium 418 Mar 14 17:12 cookies

The MozillaCookieJar class also seems to use the default file mode. I suppose 
it should be changed as well as the LWP class.

--
components:  -SSL

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34915] LWPCookieJar.save() creates *.lwp file in 644 mode

2020-10-21 Thread Christian Heimes 


Change by Christian Heimes :


--
assignee: christian.heimes -> 
nosy:  -christian.heimes
versions: +Python 3.10, Python 3.8, Python 3.9 -Python 2.7, Python 3.4, Python 
3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34915] LWPCookieJar.save() creates *.lwp file in 644 mode

2019-05-05 Thread Karthikeyan Singaravelan 


Karthikeyan Singaravelan  added the comment:

Martin, any thoughts on this change?

--
nosy: +martin.panter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34915] LWPCookieJar.save() creates *.lwp file in 644 mode

2019-03-29 Thread Karthikeyan Singaravelan 


Karthikeyan Singaravelan  added the comment:

I guess this is a good choice and distutils stores .pypirc [0] in this manner 
that has username and password. 

[0] 
https://github.com/python/cpython/blob/2f54908afc5665937d763510b4430f10cf764641/Lib/distutils/config.py#L45

--
nosy: +xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34915] LWPCookieJar.save() creates *.lwp file in 644 mode

2018-10-06 Thread Ales Kvapil 


New submission from Ales Kvapil :

The LWPCookieJar.save() creates an *.lwp file containing session cookies in 
non-safe 644 mode (everyone can read it). This is not a secure behavior, 
especially for storing session keys or session cookies. The file should be 
created in 600 mode in my opinion.

https://github.com/python/cpython/blob/3.7/Lib/http/cookiejar.py#L1872

--
assignee: christian.heimes
components: IO, Library (Lib), SSL
messages: 327246
nosy: aleskva, christian.heimes
priority: normal
severity: normal
status: open
title: LWPCookieJar.save() creates *.lwp file in 644 mode
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com