cpython/Lib/http
Łukasz Langa 2084f9479c
[3.11] gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93463) (GH-93636)
Note: This change is not effective on Microsoft Windows.

Cookies can store sensitive information and should therefore be protected
against unauthorized third parties. This is also described in issue #79096.

The filesystem permissions are currently set to 644, everyone can read the
file. This commit changes the permissions to 600, only the creater of the file
can read and modify it. This improves security, because it reduces the attack
surface. Now the attacker needs control of the user that created the cookie or
a ways to circumvent the filesystems permissions.

This change is backwards incompatible. Systems that rely on world-readable
cookies will breake. However, one could argue that those are misconfigured in
the first place.

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Pascal Wittmann <mail@pascal-wittmann.de>
Co-authored-by: Christian Heimes <christian@python.org>
2022-06-09 16:16:37 +02:00
..
__init__.py gh-91996: Add an HTTPMethod StrEnum to http (GH-91997) 2022-05-05 15:39:02 -07:00
client.py bpo-28953: Use `raise from` when raising new IncompleteRead (GH-29861) 2021-12-06 16:10:49 -08:00
cookiejar.py [3.11] gh-79096: Protect cookie file created by {LWP,Mozilla}CookieJar.save() (GH-93463) (GH-93636) 2022-06-09 16:16:37 +02:00
cookies.py bpo-39481: PEP 585 for a variety of modules (GH-19423) 2020-04-10 07:46:36 -07:00
server.py bpo-46285: Add command-line option -p/--protocol to module http.server (#30999) 2022-05-02 16:28:45 -06:00