Package: python2.6
Version: 2.6.6-8
Severity: important
Tags: security
distutils uses this method to create .pypirc:
def _store_pypirc(self, username, password):
"""Creates a default .pypirc file."""
rc = self._get_rc_file()
f = open(rc, 'w')
try:
f.write(DEFAULT_PYPIRC % (username, password))
finally:
f.close()
try:
os.chmod(rc, 0600)
except OSError:
# should do something better here
pass
There is a tiny timing window between write() and chmod() calls in which
the file (with user's password) is world-readable.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
