From be8320718ce02583374df5312502490f0bd7e8a7 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Fri, 21 Jun 2013 23:11:41 -0400 Subject: Issue a UserWarning when the egg cache directory is likely to be vulnerable to security issues per #375. --HG-- branch : distribute --- pkg_resources.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/pkg_resources.py b/pkg_resources.py index f8de449e..50e4ce9b 100644 --- a/pkg_resources.py +++ b/pkg_resources.py @@ -14,6 +14,8 @@ method. """ import sys, os, zipimport, time, re, imp, types +import warnings +import stat from urlparse import urlparse, urlunparse try: @@ -987,6 +989,7 @@ variable to point to an accessible directory. extract, as it tracks the generated names for possible cleanup later. """ extract_path = self.extraction_path or get_default_cache() + self._warn_unsafe_extraction(extract_path) target_path = os.path.join(extract_path, archive_name+'-tmp', *names) try: _bypass_ensure_directory(target_path) @@ -996,6 +999,28 @@ variable to point to an accessible directory. self.cached_files[target_path] = 1 return target_path + @staticmethod + def warn_unsafe_extraction_path(path): + """ + If the default extraction path is overridden and set to an insecure + location, such as /tmp, it opens up an opportunity for an attacker to + replace an extracted file with an unauthorized payload. Warn the user + if a known insecure location is used. + + See Distribute #375 for more details. + """ + if os.name == 'nt' and not path.startswith(os.environ['windir']): + # On Windows, permissions are generally restrictive by default + # and temp directories are not writable by other users, so + # bypass the warning. + return + mode = os.stat(path).st_mode + if mode & stat.S_IWOTH: + msg = ("%s is writable by others and vulnerable to attack when " + "used with get_resource_filename. Consider a more secure " + "location (set with .set_extraction_path or the " + "PYTHON_EGG_CACHE environment variable)." % path) + warnings.warn(msg, UserWarning) -- cgit v1.2.3 From 7e8c32eeda9db5eab02e30ee4528c8c8674e57c5 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Mon, 24 Jun 2013 05:18:05 -0400 Subject: Also protect against group-writable files --HG-- branch : distribute --- pkg_resources.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg_resources.py b/pkg_resources.py index 50e4ce9b..69e53ebd 100644 --- a/pkg_resources.py +++ b/pkg_resources.py @@ -1015,8 +1015,9 @@ variable to point to an accessible directory. # bypass the warning. return mode = os.stat(path).st_mode - if mode & stat.S_IWOTH: - msg = ("%s is writable by others and vulnerable to attack when " + if mode & stat.S_IWOTH or mode & stat.S_IWGRP: + msg = ("%s is writable by group/others and vulnerable to attack " + "when " "used with get_resource_filename. Consider a more secure " "location (set with .set_extraction_path or the " "PYTHON_EGG_CACHE environment variable)." % path) -- cgit v1.2.3 From 1ba56e8ddabe69b7837307f260a6b5e2f1c0b7c2 Mon Sep 17 00:00:00 2001 From: "Jason R. Coombs" Date: Sat, 29 Jun 2013 10:06:53 -0400 Subject: Update changelog --HG-- branch : distribute --- CHANGES.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGES.txt b/CHANGES.txt index 377dc8a5..42a5c3af 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -2,6 +2,14 @@ CHANGES ======= +------ +0.6.46 +------ + +* Issue #375: Issue a warning if the PYTHON_EGG_CACHE or otherwise + customized egg cache location specifies a directory that's group- or + world-writable. + ------ 0.6.39 ------ -- cgit v1.2.3