The parser cache is now always handled in a per-user fashion.

This avoids issues with people providing malciious caches in a multi-user system. Originally reported as: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735263 A CVE number has been requested
alex · Jan 17, 2014 · fc9bbcd · fc9bbcd
1 parent 0a51c25
commit fc9bbcd
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/rply/parsergenerator.py b/rply/parsergenerator.py
@@ -2,6 +2,7 @@
 import hashlib
 import json
 import random
+import stat
 import string
 import sys
 import tempfile
@@ -124,17 +125,23 @@ def build(self):
 
         cache_file = os.path.join(
             tempfile.gettempdir(),
-            "rply-%s-%s-%s.json" % (self.VERSION, self.cache_id, self.compute_grammar_hash(g))
+            "rply-%s-%s-%s-%s.json" % (self.VERSION, os.getuid(), self.cache_id, self.compute_grammar_hash(g))
         )
         table = None
         if os.path.exists(cache_file):
             with open(cache_file) as f:
                 data = json.load(f)
-            if self.data_is_valid(g, data):
-                table = LRTable.from_cache(g, data)
+                stat_result = os.fstat(f.fileno())
+            if (
+                stat_result.st_uid == os.getuid() and
+                stat.S_IMODE(stat_result.st_mode) == 0o0600
+            ):
+                if self.data_is_valid(g, data):
+                    table = LRTable.from_cache(g, data)
         if table is None:
             table = LRTable.from_grammar(g)
-            with open(cache_file, "w") as f:
+            fd = os.open(cache_file, os.O_RDWR | os.O_CREAT | os.O_EXCL, 0o0600)
+            with os.fdopen(fd, "w") as f:
                 json.dump(self.serialize_table(table), f)
         if table.sr_conflicts:
             warnings.warn(