New submission from Ryan Lortie: http://bugs.python.org/file19849/mkdirs.tr.diff introduced a patch with this code in it:
+def _get_masked_mode(mode): + mask = umask(0) + umask(mask) + return mode & ~mask This changes the umask of the entire process. If another thread manages to create a file between those two calls then it will be world read/writable, regardless of the original umask of the process. This is not theoretical: I discovered this bug by observing it happen. ---------- components: Library (Lib) messages: 215020 nosy: desrt priority: normal severity: normal status: open title: _get_masked_mode in os.makedirs() is a serious security problem type: security versions: Python 3.3 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue21082> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
