From: R David Murray Date: Wed, 18 Sep 2013 00:32:54 +0000 (-0400) Subject: Merge #14984: On POSIX, enforce permissions when reading default .netrc. X-Git-Tag: v3.4.0a3~44^2^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8270a2c209836c49fb2909c3af6117c46439b86e;p=thirdparty%2FPython%2Fcpython.git Merge #14984: On POSIX, enforce permissions when reading default .netrc. --- 8270a2c209836c49fb2909c3af6117c46439b86e diff --cc Doc/library/netrc.rst index 3f38cbce7ad2,b6c1066e9a36..e085bce77123 --- a/Doc/library/netrc.rst +++ b/Doc/library/netrc.rst @@@ -22,6 -19,14 +22,14 @@@ the Unix :program:`ftp` program and oth no argument is given, the file :file:`.netrc` in the user's home directory will be read. Parse errors will raise :exc:`NetrcParseError` with diagnostic information including the file name, line number, and terminating token. + If no argument is specified on a POSIX system, the presence of passwords in + the :file:`.netrc` file will raise a :exc:`NetrcParseError` if the file + ownership or permissions are insecure (owned by a user other than the user + running the process, or accessible for read or write by any other user). + This implements security behavior equivalent to that of ftp and other + programs that use :file:`.netrc`. + - .. versionchanged:: 3.1.6 Added the POSIX permission check. ++ .. versionchanged:: 3.2.6 Added the POSIX permission check. .. exception:: NetrcParseError diff --cc Misc/NEWS index 2b07ae384fad,89ee27d0ea0f..6488b75f29e4 --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -10,16 -13,28 +10,22 @@@ What's New in Python 3.2.6 Library ------- + - Issue #14984: On POSIX systems, when netrc is called without a filename + argument (and therefore is reading the user's $HOME/.netrc file), it now + enforces the same security rules as typical ftp clients: the .netrc file must + be owned by the user that owns the process and must not be readable by any + other user. + -- Issue #16248: Disable code execution from the user's home directory by tkinter - when the -E flag is passed to Python. +- Fix tkinter regression introduced by the security fix in issue #16248. +- Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of + service using certificates with many wildcards (CVE-2013-2099). -What's New in Python 3.1.5? -=========================== - -*Release date: 2012-04-08* -Core and Builtins ------------------ +What's New in Python 3.2.5? +=========================== -- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED - environment variable, to provide an opt-in way to protect against denial of - service attacks due to hash collisions within the dict and set types. Patch - by David Malcolm, based on work by Victor Stinner. +*Release date: 13-May-2013* Library -------