Commit 852b0341 authored by Vincent Pelletier's avatar Vincent Pelletier

http: Stop changing umask.

Instead, use a thread-safe way. Current code using it is not threaded, but
future code will be.
parent af832447
...@@ -44,6 +44,18 @@ _cryptography_backend = default_backend() ...@@ -44,6 +44,18 @@ _cryptography_backend = default_backend()
BACKUP_SUFFIX = '.sql.caucased' BACKUP_SUFFIX = '.sql.caucased'
def _createKey(path):
"""
Open a key file, setting it to minimum permission if it gets created.
Does not change umask, to be thread-safe.
Returns a python file object, opened for write-only.
"""
return os.fdopen(
os.open(path, os.O_WRONLY | os.O_CREAT, 0o600),
'w',
)
class ThreadingWSGIServer(ThreadingMixIn, WSGIServer): class ThreadingWSGIServer(ThreadingMixIn, WSGIServer):
""" """
Threading WSGI server Threading WSGI server
...@@ -179,7 +191,7 @@ def updateSSLContext( ...@@ -179,7 +191,7 @@ def updateSSLContext(
), ),
), ),
) )
with open(server_key_path, 'w') as crt_file: with _createKey(server_key_path) as crt_file:
crt_file.write(new_key_pem) crt_file.write(new_key_pem)
crt_file.write(new_crt_pem) crt_file.write(new_crt_pem)
else: else:
...@@ -225,13 +237,9 @@ def updateSSLContext( ...@@ -225,13 +237,9 @@ def updateSSLContext(
cas.createCertificate(csr_id) cas.createCertificate(csr_id)
new_crt_pem = cas.getCertificate(csr_id) new_crt_pem = cas.getCertificate(csr_id)
new_key_pem = utils.dump_privatekey(new_key) new_key_pem = utils.dump_privatekey(new_key)
old_mask = os.umask(077) with _createKey(server_key_path) as crt_file:
try: crt_file.write(new_key_pem)
with open(server_key_path, 'w') as crt_file: crt_file.write(new_crt_pem)
crt_file.write(new_key_pem)
crt_file.write(new_crt_pem)
finally:
os.umask(old_mask)
ssl_context.load_cert_chain(server_key_path) ssl_context.load_cert_chain(server_key_path)
if wrap: if wrap:
https.socket = ssl_context.wrap_socket( https.socket = ssl_context.wrap_socket(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment