Skip to content

Commit

Permalink
Restrict accessibility of compiled files (fixes #2044 again).
Browse files Browse the repository at this point in the history
CVE-2013-2027 points out that Jython may be run with umask 0, and then
files cached will be world-writable affecting later sessions. #2044
claimed this fixed by other work, but this change fixes the permissions
explicitly in the compiler and package manager.
  • Loading branch information
jeff5 committed Jan 26, 2020
1 parent 25a9870 commit 053949e
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 3 deletions.
1 change: 1 addition & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ https://github.com/jythontools/jython

Jython 2.7.2b3
Bugs fixed
- [ 2044 ] CVE-2013-2027 Current umask sets privileges of class files and cache
- [ 2834 ] Import of Java classes is not thread safe
- [ 2820 ] Import fails with UnicodeDecodeError if sys.path contains invalid UTF-8 bytes
- [ 2826 ] Unicode hex string decode failure
Expand Down
4 changes: 2 additions & 2 deletions src/org/python/core/imp.java
Original file line number Diff line number Diff line change
Expand Up @@ -480,12 +480,12 @@ public static String cacheCompiledSource(String sourceFilename, String compiledF
if (man != null) {
man.checkWrite(compiledFilename);
}
fop = new FileOutputStream(compiledFilename);
fop = new FileOutputStream(FileUtil.makePrivateRW(compiledFilename));
fop.write(compiledSource);
fop.close();
return compiledFilename;
} catch (IOException | SecurityException exc) {
// If we can't write the cache file, just logger and continue
// If we can't write the cache file, just log and continue
logger.log(Level.FINE, "Unable to write to source cache file ''{0}'' due to {1}",
new Object[] {compiledFilename, exc});
return null;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

import org.python.core.Options;
import org.python.core.PyJavaPackage;
import org.python.core.util.FileUtil;
import org.python.util.Generic;

import java.io.BufferedInputStream;
Expand Down Expand Up @@ -773,7 +774,7 @@ protected DataInputStream inOpenIndex() throws IOException {
* overridden.
*/
protected DataOutputStream outOpenIndex() throws IOException {
File indexFile = new File(this.cachedir, "packages.idx");
File indexFile = FileUtil.makePrivateRW(new File(this.cachedir, "packages.idx"));
FileOutputStream ostream = new FileOutputStream(indexFile);
return new DataOutputStream(new BufferedOutputStream(ostream));
}
Expand Down Expand Up @@ -821,6 +822,7 @@ protected DataOutputStream outCreateCacheFile(JarXEntry entry, boolean create)
// That name is in use: make up another one.
file = new File(this.cachedir, jarname + "$" + index + ".pkc");
}
file = FileUtil.makePrivateRW(file);
entry.cachefile = file.getCanonicalPath();

} else {
Expand Down
32 changes: 32 additions & 0 deletions src/org/python/core/util/FileUtil.java
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
package org.python.core.util;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
Expand Down Expand Up @@ -90,4 +91,35 @@ public static byte[] readBytes(InputStream in) throws IOException {
}
return out.toByteArray();
}

/**
* Create the named file (if necessary) and give just the owner read-write access.
*
* @param filename to create/control
* @return {@code File} object for subsequent open
* @throws IOException
*/
public static File makePrivateRW(String filename) throws IOException {
return makePrivateRW(new File(filename));
}

/**
* Create the identified file (if necessary) and give just the owner read-write access.
*
* @param file to create/control
* @return {@code File} object for subsequent open
* @throws IOException
*/
public static File makePrivateRW(File file) throws IOException {
file.createNewFile();
// Remove permissions for all
file.setReadable(false, false);
file.setWritable(false, false);
file.setExecutable(false, false);
// Add permissions for owner
file.setReadable(true);
file.setWritable(true);
return file;
}

}

0 comments on commit 053949e

Please sign in to comment.