jenkins-bot submitted this change.
[bugfix] Add a new variable 'private_folder_permission' to config.py
- update all file permission modes to private_files_permission
- update all folder permission modes to private_folder_permission
Bug: T315045
Bug: T206385
Change-Id: I0ae01bcd19cc63398b00beab91276d0d722f5272
---
M pywikibot/config.py
M pywikibot/scripts/generate_user_files.py
M scripts/listpages.py
M tests/tools_tests.py
4 files changed, 28 insertions(+), 17 deletions(-)
diff --git a/pywikibot/config.py b/pywikibot/config.py
index 0e4c691..11d7b30 100644
--- a/pywikibot/config.py
+++ b/pywikibot/config.py
@@ -255,6 +255,7 @@
# stat.S_IWOTH 0o002 write permission for others
# stat.S_IXOTH 0o001 execute permission for others
private_files_permission = stat.S_IRUSR | stat.S_IWUSR
+private_folder_permission = stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
# Allow user to stop warnings about file security
# by setting this to true.
@@ -368,7 +369,7 @@
for dir_ in base_dir_cand:
dir_s = os.path.join(*dir_)
try:
- os.makedirs(dir_s, mode=private_files_permission)
+ os.makedirs(dir_s, mode=private_folder_permission)
except OSError: # PermissionError or already exists
if exists(dir_s):
base_dir = dir_s
@@ -1132,15 +1133,18 @@
mylang = 'test'
# SECURITY WARNINGS
-if (not ignore_file_security_warnings
- and private_files_permission & (stat.S_IRWXG | stat.S_IRWXO) != 0):
- error("CRITICAL SECURITY WARNING: 'private_files_permission' is set"
- ' to allow access from the group/others which'
- ' could give them access to the sensitive files.'
- ' To avoid giving others access to sensitive files, pywikibot'
- " won't run with this setting. Choose a more restrictive"
- " permission or set 'ignore_file_security_warnings' to true.")
- sys.exit(1)
+if not ignore_file_security_warnings:
+ for _permission in ('private_files_permission',
+ 'private_folder_permission'):
+ if locals()[_permission] & (stat.S_IRWXG | stat.S_IRWXO) != 0:
+ error('\n' + fill(
+ f'CRITICAL SECURITY WARNING: {_permission!r} is set to allow'
+ ' access from the group/others which could give them access'
+ ' to the sensitive files. To avoid giving others access to'
+ " sensitive files, pywikibot won't run with this setting."
+ ' Choose a more restrictive permission or set'
+ " 'ignore_file_security_warnings' to true."))
+ sys.exit(1)
# Setup custom family files
for file_path in user_families_paths:
diff --git a/pywikibot/scripts/generate_user_files.py b/pywikibot/scripts/generate_user_files.py
index e188baa..6d4018e 100755
--- a/pywikibot/scripts/generate_user_files.py
+++ b/pywikibot/scripts/generate_user_files.py
@@ -370,10 +370,13 @@
# in it
with codecs.open(_fncpass, 'w', 'utf-8') as f:
f.write('')
- file_mode_checker(_fncpass, mode=0o600, quiet=True)
+ file_mode_checker(_fncpass,
+ mode=config.private_files_permission,
+ quiet=True)
with codecs.open(_fncpass, 'w', 'utf-8') as f:
f.write(PASSFILE_CONFIG.format(botpasswords=botpasswords))
- file_mode_checker(_fncpass, mode=0o600)
+ file_mode_checker(_fncpass,
+ mode=config.private_files_permission)
pywikibot.info(f"'{_fncpass}' written.")
except OSError:
os.remove(_fncpass)
diff --git a/scripts/listpages.py b/scripts/listpages.py
index 7489bcd..fd4f662 100755
--- a/scripts/listpages.py
+++ b/scripts/listpages.py
@@ -229,7 +229,8 @@
choice = pywikibot.input_yn('Do you want to create it ("No" '
'to continue without saving)?')
if choice:
- os.makedirs(base_dir, mode=0o744)
+ os.makedirs(base_dir,
+ mode=config.private_folder_permission)
else:
base_dir = None
elif not os.path.isdir(base_dir):
diff --git a/tests/tools_tests.py b/tests/tools_tests.py
index 3a4f362..a372d50 100755
--- a/tests/tools_tests.py
+++ b/tests/tools_tests.py
@@ -14,7 +14,7 @@
from contextlib import suppress
from unittest import mock
-from pywikibot import tools
+from pywikibot import config, tools
from pywikibot.tools import (
cached,
classproperty,
@@ -578,21 +578,24 @@
def test_auto_chmod_for_dir(self):
"""Do not chmod files that have mode private_files_permission."""
self.stat.return_value.st_mode = 0o040600 # dir
- tools.file_mode_checker(self.file, mode=0o600)
+ tools.file_mode_checker(self.file,
+ mode=config.private_folder_permission)
self.stat.assert_called_with(self.file)
self.assertFalse(self.chmod.called)
def test_auto_chmod_OK(self):
"""Do not chmod files that have mode private_files_permission."""
self.stat.return_value.st_mode = 0o100600 # regular file
- tools.file_mode_checker(self.file, mode=0o600)
+ tools.file_mode_checker(self.file,
+ mode=config.private_files_permission)
self.stat.assert_called_with(self.file)
self.assertFalse(self.chmod.called)
def test_auto_chmod_not_OK(self):
"""Chmod files that do not have mode private_files_permission."""
self.stat.return_value.st_mode = 0o100644 # regular file
- tools.file_mode_checker(self.file, mode=0o600)
+ tools.file_mode_checker(self.file,
+ mode=config.private_files_permission)
self.stat.assert_called_with(self.file)
self.chmod.assert_called_once_with(self.file, 0o600)
To view, visit change 841875. To unsubscribe, or for help writing mail filters, visit settings.