jenkins-bot has submitted this change. ( https://gerrit.wikimedia.org/r/c/pywikibot/core/+/841875 )
Change subject: [bugfix] Add a new variable 'private_folder_permission' to config.py ...................................................................... [bugfix] Add a new variable 'private_folder_permission' to config.py - update all file permission modes to private_files_permission - update all folder permission modes to private_folder_permission Bug: T315045 Bug: T206385 Change-Id: I0ae01bcd19cc63398b00beab91276d0d722f5272 --- M pywikibot/config.py M pywikibot/scripts/generate_user_files.py M scripts/listpages.py M tests/tools_tests.py 4 files changed, 28 insertions(+), 17 deletions(-) Approvals: Xqt: Looks good to me, approved jenkins-bot: Verified diff --git a/pywikibot/config.py b/pywikibot/config.py index 0e4c691..11d7b30 100644 --- a/pywikibot/config.py +++ b/pywikibot/config.py @@ -255,6 +255,7 @@ # stat.S_IWOTH 0o002 write permission for others # stat.S_IXOTH 0o001 execute permission for others private_files_permission = stat.S_IRUSR | stat.S_IWUSR +private_folder_permission = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR # Allow user to stop warnings about file security # by setting this to true. @@ -368,7 +369,7 @@ for dir_ in base_dir_cand: dir_s = os.path.join(*dir_) try: - os.makedirs(dir_s, mode=private_files_permission) + os.makedirs(dir_s, mode=private_folder_permission) except OSError: # PermissionError or already exists if exists(dir_s): base_dir = dir_s @@ -1132,15 +1133,18 @@ mylang = 'test' # SECURITY WARNINGS -if (not ignore_file_security_warnings - and private_files_permission & (stat.S_IRWXG | stat.S_IRWXO) != 0): - error("CRITICAL SECURITY WARNING: 'private_files_permission' is set" - ' to allow access from the group/others which' - ' could give them access to the sensitive files.' - ' To avoid giving others access to sensitive files, pywikibot' - " won't run with this setting. Choose a more restrictive" - " permission or set 'ignore_file_security_warnings' to true.") - sys.exit(1) +if not ignore_file_security_warnings: + for _permission in ('private_files_permission', + 'private_folder_permission'): + if locals()[_permission] & (stat.S_IRWXG | stat.S_IRWXO) != 0: + error('\n' + fill( + f'CRITICAL SECURITY WARNING: {_permission!r} is set to allow' + ' access from the group/others which could give them access' + ' to the sensitive files. To avoid giving others access to' + " sensitive files, pywikibot won't run with this setting." + ' Choose a more restrictive permission or set' + " 'ignore_file_security_warnings' to true.")) + sys.exit(1) # Setup custom family files for file_path in user_families_paths: diff --git a/pywikibot/scripts/generate_user_files.py b/pywikibot/scripts/generate_user_files.py index e188baa..6d4018e 100755 --- a/pywikibot/scripts/generate_user_files.py +++ b/pywikibot/scripts/generate_user_files.py @@ -370,10 +370,13 @@ # in it with codecs.open(_fncpass, 'w', 'utf-8') as f: f.write('') - file_mode_checker(_fncpass, mode=0o600, quiet=True) + file_mode_checker(_fncpass, + mode=config.private_files_permission, + quiet=True) with codecs.open(_fncpass, 'w', 'utf-8') as f: f.write(PASSFILE_CONFIG.format(botpasswords=botpasswords)) - file_mode_checker(_fncpass, mode=0o600) + file_mode_checker(_fncpass, + mode=config.private_files_permission) pywikibot.info(f"'{_fncpass}' written.") except OSError: os.remove(_fncpass) diff --git a/scripts/listpages.py b/scripts/listpages.py index 7489bcd..fd4f662 100755 --- a/scripts/listpages.py +++ b/scripts/listpages.py @@ -229,7 +229,8 @@ choice = pywikibot.input_yn('Do you want to create it ("No" ' 'to continue without saving)?') if choice: - os.makedirs(base_dir, mode=0o744) + os.makedirs(base_dir, + mode=config.private_folder_permission) else: base_dir = None elif not os.path.isdir(base_dir): diff --git a/tests/tools_tests.py b/tests/tools_tests.py index 3a4f362..a372d50 100755 --- a/tests/tools_tests.py +++ b/tests/tools_tests.py @@ -14,7 +14,7 @@ from contextlib import suppress from unittest import mock -from pywikibot import tools +from pywikibot import config, tools from pywikibot.tools import ( cached, classproperty, @@ -578,21 +578,24 @@ def test_auto_chmod_for_dir(self): """Do not chmod files that have mode private_files_permission.""" self.stat.return_value.st_mode = 0o040600 # dir - tools.file_mode_checker(self.file, mode=0o600) + tools.file_mode_checker(self.file, + mode=config.private_folder_permission) self.stat.assert_called_with(self.file) self.assertFalse(self.chmod.called) def test_auto_chmod_OK(self): """Do not chmod files that have mode private_files_permission.""" self.stat.return_value.st_mode = 0o100600 # regular file - tools.file_mode_checker(self.file, mode=0o600) + tools.file_mode_checker(self.file, + mode=config.private_files_permission) self.stat.assert_called_with(self.file) self.assertFalse(self.chmod.called) def test_auto_chmod_not_OK(self): """Chmod files that do not have mode private_files_permission.""" self.stat.return_value.st_mode = 0o100644 # regular file - tools.file_mode_checker(self.file, mode=0o600) + tools.file_mode_checker(self.file, + mode=config.private_files_permission) self.stat.assert_called_with(self.file) self.chmod.assert_called_once_with(self.file, 0o600) -- To view, visit https://gerrit.wikimedia.org/r/c/pywikibot/core/+/841875 To unsubscribe, or for help writing mail filters, visit https://gerrit.wikimedia.org/r/settings Gerrit-Project: pywikibot/core Gerrit-Branch: master Gerrit-Change-Id: I0ae01bcd19cc63398b00beab91276d0d722f5272 Gerrit-Change-Number: 841875 Gerrit-PatchSet: 4 Gerrit-Owner: Xqt <i...@gno.de> Gerrit-Reviewer: Dvorapa <dvor...@seznam.cz> Gerrit-Reviewer: Framawiki <framaw...@tools.wmflabs.org> Gerrit-Reviewer: John Vandenberg <jay...@gmail.com> Gerrit-Reviewer: Platonides <platoni...@gmail.com> Gerrit-Reviewer: RoySmith <r...@panix.com> Gerrit-Reviewer: Urbanecm <martin.urba...@wikimedia.cz> Gerrit-Reviewer: Xqt <i...@gno.de> Gerrit-Reviewer: jenkins-bot Gerrit-MessageType: merged
_______________________________________________ Pywikibot-commits mailing list -- pywikibot-commits@lists.wikimedia.org To unsubscribe send an email to pywikibot-commits-le...@lists.wikimedia.org