Fix for PR#111: when using the inplace option, give the new file the

same permissions as the old file, plugging a security hole. (Not using exactly the suggested bugfix.)
1999-10-18 21:41:43 +00:00 · 1999-10-18 21:41:43 +00:00 · dcb8583c18
parent 39d4a0237a
commit dcb8583c18
1 changed files with 15 additions and 3 deletions
--- a/Lib/fileinput.py
+++ b/Lib/fileinput.py
@ -73,7 +73,7 @@ XXX Possible additions:

 """

-import sys, os
+import sys, os, stat

 _state = None

@ -203,10 +203,22 @@ class FileInput:
                        self._filename + (self._backup or ".bak"))
                    try: os.unlink(self._backupfilename)
                    except os.error: pass
-                    # The next three lines may raise IOError
+                    # The next few lines may raise IOError
                    os.rename(self._filename, self._backupfilename)
                    self._file = open(self._backupfilename, "r")
-                    self._output = open(self._filename, "w")
+                    try:
+                        perm = os.fstat(self._file.fileno())[stat.ST_MODE]
+                    except:
+                        self._output = open(self._filename, "w")
+                    else:
+                        fd = os.open(self._filename,
+                                     os.O_CREAT | os.O_WRONLY | os.O_TRUNC,
+                                     perm)
+                        self._output = os.fdopen(fd, "w")
+                        try:
+                            os.chmod(self._filename, perm)
+                        except:
+                            pass
                    self._savestdout = sys.stdout
                    sys.stdout = self._output
                else: