Fix for PR#111: when using the inplace option, give the new file the

same permissions as the old file, plugging a security hole. (Not using exactly the suggested bugfix.)

Fix for PR#111: when using the inplace option, give the new file the
same permissions as the old file, plugging a security hole. (Not using exactly the suggested bugfix.)
dcb8583c · Guido van Rossum · 39d4a023 · dcb8583c
Kaydet (Commit) dcb8583c authored Eki 18, 1999 tarafından Guido van Rossum
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 3 deletions

fileinput.py Lib/fileinput.py +15 -3

No files found.
--- a/Lib/fileinput.py
+++ b/Lib/fileinput.py
@@ -73,7 +73,7 @@ XXX Possible additions:

 """

-import sys, os
+import sys, os, stat

 _state = None

@@ -203,10 +203,22 @@ class FileInput:
                        self._filename + (self._backup or ".bak"))
                    try: os.unlink(self._backupfilename)
                    except os.error: pass
-                    # The next three lines may raise IOError
+                    # The next few lines may raise IOError
                    os.rename(self._filename, self._backupfilename)
                    self._file = open(self._backupfilename, "r")
-                    self._output = open(self._filename, "w")
+                    try:
+                        perm = os.fstat(self._file.fileno())[stat.ST_MODE]
+                    except:
+                        self._output = open(self._filename, "w")
+                    else:
+                        fd = os.open(self._filename,
+                                     os.O_CREAT | os.O_WRONLY | os.O_TRUNC,
+                                     perm)
+                        self._output = os.fdopen(fd, "w")
+                        try:
+                            os.chmod(self._filename, perm)
+                        except:
+                            pass
                    self._savestdout = sys.stdout
                    sys.stdout = self._output
                else: