Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Security problem: upload_template () ==> world readable file in the home folder #1341
I wast running the upload_template() function from the fabric.contrib.files package and found an unexpected behavior.
-rw-r--r-- 1 me users 623 Jun 11 12:02 dbdc6b14139b9aaf18cfcd2cb1244440dbf08136
If the file happens to contain a password there is a chance of the somebody reading it.
I was able to reproduce this with the below (fabric 1.12.0)
It created a file called
Full output of fabric
The issue is not specific to
The issue appears to be here:
For an invalid destination path, the
I propose the following approach which will clean up after itself in case of failure
@bitprophet what do you think of this approach?