[Pywikibot-commits] [Gerrit] ...core[master]: [bugfix] Add a new variable 'private_folder_permission' to config.py

jenkins-bot (Code Review) Mon, 17 Oct 2022 11:36:45 -0700

jenkins-bot has submitted this change. ( 
https://gerrit.wikimedia.org/r/c/pywikibot/core/+/841875 )


Change subject: [bugfix] Add a new variable 'private_folder_permission' to 
config.py
......................................................................

[bugfix] Add a new variable 'private_folder_permission' to config.py

- update all file permission modes to private_files_permission
- update all folder permission modes to private_folder_permission

Bug: T315045
Bug: T206385
Change-Id: I0ae01bcd19cc63398b00beab91276d0d722f5272
---
M pywikibot/config.py
M pywikibot/scripts/generate_user_files.py
M scripts/listpages.py
M tests/tools_tests.py
4 files changed, 28 insertions(+), 17 deletions(-)

Approvals:
  Xqt: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/pywikibot/config.py b/pywikibot/config.py
index 0e4c691..11d7b30 100644
--- a/pywikibot/config.py
+++ b/pywikibot/config.py
@@ -255,6 +255,7 @@
 # stat.S_IWOTH 0o002 write permission for others
 # stat.S_IXOTH 0o001 execute permission for others
 private_files_permission = stat.S_IRUSR | stat.S_IWUSR
+private_folder_permission = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR

 # Allow user to stop warnings about file security
 # by setting this to true.
@@ -368,7 +369,7 @@
             for dir_ in base_dir_cand:
                 dir_s = os.path.join(*dir_)
                 try:
-                    os.makedirs(dir_s, mode=private_files_permission)
+                    os.makedirs(dir_s, mode=private_folder_permission)
                 except OSError:  # PermissionError or already exists
                     if exists(dir_s):
                         base_dir = dir_s
@@ -1132,15 +1133,18 @@
     mylang = 'test'

 # SECURITY WARNINGS
-if (not ignore_file_security_warnings
-        and private_files_permission & (stat.S_IRWXG | stat.S_IRWXO) != 0):
-    error("CRITICAL SECURITY WARNING: 'private_files_permission' is set"
-          ' to allow access from the group/others which'
-          ' could give them access to the sensitive files.'
-          ' To avoid giving others access to sensitive files, pywikibot'
-          " won't run with this setting. Choose a more restrictive"
-          " permission or set 'ignore_file_security_warnings' to true.")
-    sys.exit(1)
+if not ignore_file_security_warnings:
+    for _permission in ('private_files_permission',
+                        'private_folder_permission'):
+        if locals()[_permission] & (stat.S_IRWXG | stat.S_IRWXO) != 0:
+            error('\n' + fill(
+                f'CRITICAL SECURITY WARNING: {_permission!r} is set to allow'
+                ' access from the group/others which could give them access'
+                ' to the sensitive files. To avoid giving others access to'
+                " sensitive files, pywikibot won't run with this setting."
+                ' Choose a more restrictive permission or set'
+                " 'ignore_file_security_warnings' to true."))
+            sys.exit(1)

 # Setup custom family files
 for file_path in user_families_paths:
diff --git a/pywikibot/scripts/generate_user_files.py 
b/pywikibot/scripts/generate_user_files.py
index e188baa..6d4018e 100755
--- a/pywikibot/scripts/generate_user_files.py
+++ b/pywikibot/scripts/generate_user_files.py
@@ -370,10 +370,13 @@
             # in it
             with codecs.open(_fncpass, 'w', 'utf-8') as f:
                 f.write('')
-                file_mode_checker(_fncpass, mode=0o600, quiet=True)
+                file_mode_checker(_fncpass,
+                                  mode=config.private_files_permission,
+                                  quiet=True)
             with codecs.open(_fncpass, 'w', 'utf-8') as f:
                 f.write(PASSFILE_CONFIG.format(botpasswords=botpasswords))
-                file_mode_checker(_fncpass, mode=0o600)
+                file_mode_checker(_fncpass,
+                                  mode=config.private_files_permission)
                 pywikibot.info(f"'{_fncpass}' written.")
         except OSError:
             os.remove(_fncpass)
diff --git a/scripts/listpages.py b/scripts/listpages.py
index 7489bcd..fd4f662 100755
--- a/scripts/listpages.py
+++ b/scripts/listpages.py
@@ -229,7 +229,8 @@
                 choice = pywikibot.input_yn('Do you want to create it ("No" '
                                             'to continue without saving)?')
                 if choice:
-                    os.makedirs(base_dir, mode=0o744)
+                    os.makedirs(base_dir,
+                                mode=config.private_folder_permission)
                 else:
                     base_dir = None
             elif not os.path.isdir(base_dir):
diff --git a/tests/tools_tests.py b/tests/tools_tests.py
index 3a4f362..a372d50 100755
--- a/tests/tools_tests.py
+++ b/tests/tools_tests.py
@@ -14,7 +14,7 @@
 from contextlib import suppress
 from unittest import mock

-from pywikibot import tools
+from pywikibot import config, tools
 from pywikibot.tools import (
     cached,
     classproperty,
@@ -578,21 +578,24 @@
     def test_auto_chmod_for_dir(self):
         """Do not chmod files that have mode private_files_permission."""
         self.stat.return_value.st_mode = 0o040600  # dir
-        tools.file_mode_checker(self.file, mode=0o600)
+        tools.file_mode_checker(self.file,
+                                mode=config.private_folder_permission)
         self.stat.assert_called_with(self.file)
         self.assertFalse(self.chmod.called)

     def test_auto_chmod_OK(self):
         """Do not chmod files that have mode private_files_permission."""
         self.stat.return_value.st_mode = 0o100600  # regular file
-        tools.file_mode_checker(self.file, mode=0o600)
+        tools.file_mode_checker(self.file,
+                                mode=config.private_files_permission)
         self.stat.assert_called_with(self.file)
         self.assertFalse(self.chmod.called)

     def test_auto_chmod_not_OK(self):
         """Chmod files that do not have mode private_files_permission."""
         self.stat.return_value.st_mode = 0o100644  # regular file
-        tools.file_mode_checker(self.file, mode=0o600)
+        tools.file_mode_checker(self.file,
+                                mode=config.private_files_permission)
         self.stat.assert_called_with(self.file)
         self.chmod.assert_called_once_with(self.file, 0o600)


--
To view, visit https://gerrit.wikimedia.org/r/c/pywikibot/core/+/841875
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.wikimedia.org/r/settings

Gerrit-Project: pywikibot/core
Gerrit-Branch: master
Gerrit-Change-Id: I0ae01bcd19cc63398b00beab91276d0d722f5272
Gerrit-Change-Number: 841875
Gerrit-PatchSet: 4
Gerrit-Owner: Xqt <i...@gno.de>
Gerrit-Reviewer: Dvorapa <dvor...@seznam.cz>
Gerrit-Reviewer: Framawiki <framaw...@tools.wmflabs.org>
Gerrit-Reviewer: John Vandenberg <jay...@gmail.com>
Gerrit-Reviewer: Platonides <platoni...@gmail.com>
Gerrit-Reviewer: RoySmith <r...@panix.com>
Gerrit-Reviewer: Urbanecm <martin.urba...@wikimedia.cz>
Gerrit-Reviewer: Xqt <i...@gno.de>
Gerrit-Reviewer: jenkins-bot
Gerrit-MessageType: merged

_______________________________________________
Pywikibot-commits mailing list -- pywikibot-commits@lists.wikimedia.org
To unsubscribe send an email to pywikibot-commits-le...@lists.wikimedia.org

[Pywikibot-commits] [Gerrit] ...core[master]: [bugfix] Add a new variable 'private_folder_permission' to config.py

Reply via email to