Security problem: upload_template () ==> world readable file in the home folder #1341
Comments
I would expect that if |
I was able to reproduce this with the below (fabric 1.12.0)
It created a file called Full output of fabric
|
The issue is not specific to The issue appears to be here: For an invalid destination path, the I propose the following approach which will clean up after itself in case of failure
@bitprophet what do you think of this approach? |
…n path is invalid
…n path is invalid
I wast running the upload_template() function from the fabric.contrib.files package and found an unexpected behavior.
If the "destination" parameter points to an invalid path then you end up with a world-readable file in your home folder:
-rw-r--r-- 1 me users 623 Jun 11 12:02 dbdc6b14139b9aaf18cfcd2cb1244440dbf08136
If the file happens to contain a password there is a chance of the somebody reading it.
The text was updated successfully, but these errors were encountered: