Package: python3-profitbricks Version: 4.1.3-3 98 def _save_config(self, filename=None): 99 """ 100 Save the given user configuration. 101 """ 102 if filename is None: 103 filename = self._config_filename 104 parent_path = os.path.dirname(filename) 105 if not os.path.isdir(parent_path): 106 os.makedirs(parent_path) 107 with open(filename, "w") as configfile: 108 self._config.write(configfile)
144 def _get_password(self, password, use_config=True, config_filename=None, 145 use_keyring=HAS_KEYRING): 163 if not password and use_config: 164 if self._config is None: 165 self._read_config(config_filename) 166 password = self._config.get("credentials", "password", fallback=None) 186 password = getpass.getpass(question) 187 store_plaintext_passwords = self._config.get( 188 "preferences", "store-plaintext-passwords", fallback=None) 189 if store_plaintext_passwords != "no": 190 question = ("Do you want to store your password in plain text in " + 191 self._config_filename()) 192 answer = ask(question, ["yes", "no", "never"], "no") 193 if answer == "yes": 194 self._config.set("credentials", "password", password) 195 self._save_config() Now, I haven't tried, but I know I now have this file: |-rw-r--r-- 1 mattia mattia 44 Dec 11 17:20 /home/mattia/.config/profitbricks-sdk-python.ini that is world-readible. At this time it only contains my username: |% cat ~/.config/profitbricks-sdk-python.ini |[credentials] |username = mat...@debian.org | |% But I believe that if I set that "store-plaintext-passwords" magic switch, however well the library tries to have the user not to, it would then store the password in a world-readible file. If the user wants to shoot itself in the foot, at least please help him dodge the bullet a bit by making the file 600 and not the umask's default (644). I'm relieved that at least that by default it saved the password in the keyring (I hope) :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature