Commit 0bca979e authored by Éric Araujo's avatar Éric Araujo

Create ~/.pypirc securely (#13512).

There was a window between the write and the chmod where the user’s
password would be exposed, depending on default permissions.  Philip
Jenvey’s patch fixes it.
parent 993d7914
...@@ -4,7 +4,6 @@ Provides the PyPIRCCommand class, the base class for the command classes ...@@ -4,7 +4,6 @@ Provides the PyPIRCCommand class, the base class for the command classes
that uses .pypirc in the distutils.command package. that uses .pypirc in the distutils.command package.
""" """
import os import os
import sys
from configparser import ConfigParser from configparser import ConfigParser
from distutils.cmd import Command from distutils.cmd import Command
...@@ -43,16 +42,8 @@ class PyPIRCCommand(Command): ...@@ -43,16 +42,8 @@ class PyPIRCCommand(Command):
def _store_pypirc(self, username, password): def _store_pypirc(self, username, password):
"""Creates a default .pypirc file.""" """Creates a default .pypirc file."""
rc = self._get_rc_file() rc = self._get_rc_file()
f = open(rc, 'w') with os.fdopen(os.open(rc, os.O_CREAT | os.O_WRONLY, 0o600), 'w') as f:
try:
f.write(DEFAULT_PYPIRC % (username, password)) f.write(DEFAULT_PYPIRC % (username, password))
finally:
f.close()
try:
os.chmod(rc, 0o600)
except OSError:
# should do something better here
pass
def _read_pypirc(self): def _read_pypirc(self):
"""Reads the .pypirc file.""" """Reads the .pypirc file."""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment