gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93463)gentoo-3.10-7.3.12rc1

Note: This change is not effective on Microsoft Windows. Cookies can store sensitive information and should therefore be protected against unauthorized third parties. This is also described in issue #79096. The filesystem permissions are currently set to 644, everyone can read the file. This commit changes the permissions to 600, only the creater of the file can read and modify it. This improves security, because it reduces the attack surface. Now the attacker needs control of the user that created the cookie or a ways to circumvent the filesystems permissions. This change is backwards incompatible. Systems that rely on world-readable cookies will breake. However, one could argue that those are misconfigured in the first place.
author: Pascal Wittmann <mail@pascal-wittmann.de> 2022-06-07 10:11:03 +0200
committer: Michał Górny <mgorny@gentoo.org> 2023-05-14 17:19:30 +0200
commit: a485d0bb97a6581897ef8b917c705ebb33209ac2 (patch)
tree: cbebaaa64538e38402161134e53148c045f9e1f1
parent: Add a Gentoo hack for WHEEL_PKG_DIR (diff)
download: pypy-a485d0bb97a6581897ef8b917c705ebb33209ac2.tar.gz
pypy-a485d0bb97a6581897ef8b917c705ebb33209ac2.tar.bz2
pypy-a485d0bb97a6581897ef8b917c705ebb33209ac2.zip
2 files changed, 33 insertions, 2 deletions
diff --git a/lib-python/3/http/cookiejar.py b/lib-python/3/http/cookiejar.py
index 0380d9f109..8156678885 100644
--- a/lib-python/3/http/cookiejar.py
+++ b/lib-python/3/http/cookiejar.py
@@ -1895,7 +1895,7 @@ class LWPCookieJar(FileCookieJar):
             if self.filename is not None: filename = self.filename
             else: raise ValueError(MISSING_FILENAME_TEXT)
 
-        with open(filename, "w") as f:
+        with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             # There really isn't an LWP Cookies 2.0 format, but this indicates
             # that there is extra information in here (domain_dot and
             # port_spec) while still being compatible with libwww-perl, I hope.
@@ -2091,7 +2091,7 @@ class MozillaCookieJar(FileCookieJar):
             if self.filename is not None: filename = self.filename
             else: raise ValueError(MISSING_FILENAME_TEXT)
 
-        with open(filename, "w") as f:
+        with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
             f.write(NETSCAPE_HEADER_TEXT)
             now = time.time()
             for cookie in self:
diff --git a/lib-python/3/test/test_http_cookiejar.py b/lib-python/3/test/test_http_cookiejar.py
index 9450104d0b..15b281ae79 100644
--- a/lib-python/3/test/test_http_cookiejar.py
+++ b/lib-python/3/test/test_http_cookiejar.py
@@ -1,6 +1,7 @@
 """Tests for http/cookiejar.py."""
 
 import os
+import sys
 import re
 import test.support
 from test.support import os_helper
@@ -17,6 +18,7 @@ from http.cookiejar import (time2isoz, http2time, iso2time, time2netscape,
      reach, is_HDN, domain_match, user_domain_match, request_path,
      request_port, request_host)
 
+mswindows = (sys.platform == "win32")
 
 class DateTimeTests(unittest.TestCase):
 
@@ -368,6 +370,35 @@ class FileCookieJarTests(unittest.TestCase):
             except OSError: pass
         self.assertEqual(c._cookies["www.acme.com"]["/"]["boo"].value, None)
 
+    @unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes")
+    def test_lwp_filepermissions(self):
+        # Cookie file should only be readable by the creator
+        filename = os_helper.TESTFN
+        c = LWPCookieJar()
+        interact_netscape(c, "http://www.acme.com/", 'boo')
+        try:
+            c.save(filename, ignore_discard=True)
+            status = os.stat(filename)
+            print(status.st_mode)
+            self.assertEqual(oct(status.st_mode)[-3:], '600')
+        finally:
+            try: os.unlink(filename)
+            except OSError: pass
+
+    @unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes")
+    def test_mozilla_filepermissions(self):
+        # Cookie file should only be readable by the creator
+        filename = os_helper.TESTFN
+        c = MozillaCookieJar()
+        interact_netscape(c, "http://www.acme.com/", 'boo')
+        try:
+            c.save(filename, ignore_discard=True)
+            status = os.stat(filename)
+            self.assertEqual(oct(status.st_mode)[-3:], '600')
+        finally:
+            try: os.unlink(filename)
+            except OSError: pass
+
     def test_bad_magic(self):
         # OSErrors (eg. file doesn't exist) are allowed to propagate
         filename = os_helper.TESTFN
author	Pascal Wittmann <mail@pascal-wittmann.de>	2022-06-07 10:11:03 +0200
committer	Michał Górny <mgorny@gentoo.org>	2023-05-14 17:19:30 +0200
commit	a485d0bb97a6581897ef8b917c705ebb33209ac2 (patch)
tree	cbebaaa64538e38402161134e53148c045f9e1f1
parent	Add a Gentoo hack for WHEEL_PKG_DIR (diff)
download	pypy-a485d0bb97a6581897ef8b917c705ebb33209ac2.tar.gz pypy-a485d0bb97a6581897ef8b917c705ebb33209ac2.tar.bz2 pypy-a485d0bb97a6581897ef8b917c705ebb33209ac2.zip