LWPCookieJar.save() creates *.lwp file in 644 mode #79096
Comments
|
The LWPCookieJar.save() creates an *.lwp file containing session cookies in non-safe 644 mode (everyone can read it). This is not a secure behavior, especially for storing session keys or session cookies. The file should be created in 600 mode in my opinion. https://github.com/python/cpython/blob/3.7/Lib/http/cookiejar.py#L1872 |
aleskva
mannequin
added
expert-SSL
3.7
stdlib
|
I guess this is a good choice and distutils stores .pypirc [0] in this manner that has username and password. [0] cpython/Lib/distutils/config.py Line 45 in 2f54908 |
|
Martin, any thoughts on this change? |
|
I don't have a strong opinion, but it does seem a sensible change that matches the high-level nature of the "cookiejar" module, with low risk of users relying on the current file permissions. On the other hand, the "curl" command seems to use the default mode when creating a cookies file (in Netscape a.k.a. Mozilla format): $ curl --cookie-jar cookies https://www.google.com/
[. . .]
$ ls -l cookies
-rw-r--r-- 1 vadmium vadmium 418 Mar 14 17:12 cookiesThe MozillaCookieJar class also seems to use the default file mode. I suppose it should be changed as well as the LWP class. |
Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue python#79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
….save() Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue python#79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
….save() Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue python#79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
….save() Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue python#79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
….save() Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue python#79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
|
FWIW Firefox also creates user profile directories with 700 so that looks like precedent to me. |
|
@AA-Turner removed the security branches from this issue suggesting that this isn't a security vulnerability in need of patching. Following this train of thought, , I'm not entirely sold on the idea that this change is even a "bug fix". It looks more like an enhancement to me, which I would err on especially given its backwards incompatibility. It's @pablogsal's call, I would consider it for 3.11 but not for 3.10. @tiran's got more experience with evaluating security issues so he can also weigh in on what we should do here. |
GH-93463) Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue #79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
|
I merged gh-93463 to 3.12. Waiting on @pablogsal and/or @tiran to voice their opinion on what to do with backports here. |
|
I share @ambv concerns regarding backward incompatibility. It's a potential security issue iff an application also uses insecure directories to store the cookies. Any security sensitive application should use directories with tight permissions for sensitive data. A strict Could you please improve the test code?
|
Sorry, I should have added a comment -- to confirm, my thinking was along the same lines as yours. A |
|
@ambv Could you please add |
Fixup of pythonGH-93463: - remove stray print - use proper way to check file mode - add working chmod decorator
|
@pablogsal, let us know if you'd agree for this to still land in 3.11. Otherwise this can be closed. |
|
I'm fine landing this in 3.11 as long as it goes in before next beta |
|
Alright, I'll do the backport now in one commit. |
….save() (pythonGH-93463) Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue python#79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
Fixup of pythonGH-93463: - remove stray print - use proper way to check file mode - add working chmod decorator Co-authored-by: Łukasz Langa <lukasz@langa.pl>
…r.save() (GH-93463) (GH-93636) Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue #79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place. Co-authored-by: Łukasz Langa <lukasz@langa.pl> Co-authored-by: Pascal Wittmann <mail@pascal-wittmann.de> Co-authored-by: Christian Heimes <christian@python.org>
|
Alright, this is landed to 3.11 and 3.12. Thanks, @pSub! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: