Skip to content

Commit

Permalink
pythongh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar…
Browse files Browse the repository at this point in the history
….save() (pythonGH-93463)

Note: This change is not effective on Microsoft Windows.

Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue python#79096.

The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.

This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.
  • Loading branch information
pSub authored and ambv committed Jun 9, 2022
1 parent 98bbbbe commit 9c5364a
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 2 deletions.
4 changes: 2 additions & 2 deletions Lib/http/cookiejar.py
Original file line number Diff line number Diff line change
Expand Up @@ -1890,7 +1890,7 @@ def save(self, filename=None, ignore_discard=False, ignore_expires=False):
if self.filename is not None: filename = self.filename
else: raise ValueError(MISSING_FILENAME_TEXT)

with open(filename, "w") as f:
with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
# There really isn't an LWP Cookies 2.0 format, but this indicates
# that there is extra information in here (domain_dot and
# port_spec) while still being compatible with libwww-perl, I hope.
Expand Down Expand Up @@ -2086,7 +2086,7 @@ def save(self, filename=None, ignore_discard=False, ignore_expires=False):
if self.filename is not None: filename = self.filename
else: raise ValueError(MISSING_FILENAME_TEXT)

with open(filename, "w") as f:
with os.fdopen(os.open(filename, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
f.write(NETSCAPE_HEADER_TEXT)
now = time.time()
for cookie in self:
Expand Down
31 changes: 31 additions & 0 deletions Lib/test/test_http_cookiejar.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
"""Tests for http/cookiejar.py."""

import os
import sys
import re
import test.support
from test.support import os_helper
Expand All @@ -17,6 +18,7 @@
reach, is_HDN, domain_match, user_domain_match, request_path,
request_port, request_host)

mswindows = (sys.platform == "win32")

class DateTimeTests(unittest.TestCase):

Expand Down Expand Up @@ -368,6 +370,35 @@ def test_lwp_valueless_cookie(self):
except OSError: pass
self.assertEqual(c._cookies["www.acme.com"]["/"]["boo"].value, None)

@unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes")
def test_lwp_filepermissions(self):
# Cookie file should only be readable by the creator
filename = os_helper.TESTFN
c = LWPCookieJar()
interact_netscape(c, "http://www.acme.com/", 'boo')
try:
c.save(filename, ignore_discard=True)
status = os.stat(filename)
print(status.st_mode)
self.assertEqual(oct(status.st_mode)[-3:], '600')
finally:
try: os.unlink(filename)
except OSError: pass

@unittest.skipIf(mswindows, "windows file permissions are incompatible with file modes")
def test_mozilla_filepermissions(self):
# Cookie file should only be readable by the creator
filename = os_helper.TESTFN
c = MozillaCookieJar()
interact_netscape(c, "http://www.acme.com/", 'boo')
try:
c.save(filename, ignore_discard=True)
status = os.stat(filename)
self.assertEqual(oct(status.st_mode)[-3:], '600')
finally:
try: os.unlink(filename)
except OSError: pass

def test_bad_magic(self):
# OSErrors (eg. file doesn't exist) are allowed to propagate
filename = os_helper.TESTFN
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
LWPCookieJar and MozillaCookieJar create files with file mode 600 instead of 644 (Microsoft Windows is not affected)

0 comments on commit 9c5364a

Please sign in to comment.