diff options
| -rw-r--r-- | .hgtags | 1 | ||||
| -rw-r--r-- | CHANGES.txt | 12 | ||||
| -rw-r--r-- | pkg_resources.py | 26 | ||||
| -rwxr-xr-x | setup.py | 4 |
4 files changed, 43 insertions, 0 deletions
@@ -65,3 +65,4 @@ d04c05f035e3a5636006fc34f4be7e6c77035d17 0.7.2 d212e48e0cef689acba57ed017289c027660b23c 0.7.3 74c6c12268059986f9cc0b535399594f1d131201 0.8b1 85640475dda0621f20e11db0995fa07f51744a98 0.7.4 +dd5bbc116c53d3732d22f983e7ca6d8cfabd3b08 0.7.5 diff --git a/CHANGES.txt b/CHANGES.txt index bed92b35..42286971 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -14,6 +14,10 @@ CHANGES ----- * Issue #21: Restore Python 2.4 compatibility in ``test_easy_install``. +* Distribute #375: Merged additional warning from Distribute 0.6.46. +* Now honor the environment variable + ``SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT`` in addition to the now + deprecated ``DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT``. ----- 0.7.4 @@ -66,6 +70,14 @@ Added several features that were slated for setuptools 0.6c12: * Issue #3: Fixed NameError in SSL support. ------ +0.6.46 +------ + +* Issue #375: Issue a warning if the PYTHON_EGG_CACHE or otherwise + customized egg cache location specifies a directory that's group- or + world-writable. + +------ 0.6.45 ------ diff --git a/pkg_resources.py b/pkg_resources.py index 3dc85525..a8ead572 100644 --- a/pkg_resources.py +++ b/pkg_resources.py @@ -14,6 +14,8 @@ method. """ import sys, os, time, re, imp, types, zipfile, zipimport +import warnings +import stat try: from urlparse import urlparse, urlunparse except ImportError: @@ -1016,6 +1018,7 @@ variable to point to an accessible directory. extract, as it tracks the generated names for possible cleanup later. """ extract_path = self.extraction_path or get_default_cache() + self._warn_unsafe_extraction(extract_path) target_path = os.path.join(extract_path, archive_name+'-tmp', *names) try: _bypass_ensure_directory(target_path) @@ -1025,6 +1028,29 @@ variable to point to an accessible directory. self.cached_files[target_path] = 1 return target_path + @staticmethod + def warn_unsafe_extraction_path(path): + """ + If the default extraction path is overridden and set to an insecure + location, such as /tmp, it opens up an opportunity for an attacker to + replace an extracted file with an unauthorized payload. Warn the user + if a known insecure location is used. + + See Distribute #375 for more details. + """ + if os.name == 'nt' and not path.startswith(os.environ['windir']): + # On Windows, permissions are generally restrictive by default + # and temp directories are not writable by other users, so + # bypass the warning. + return + mode = os.stat(path).st_mode + if mode & stat.S_IWOTH or mode & stat.S_IWGRP: + msg = ("%s is writable by group/others and vulnerable to attack " + "when " + "used with get_resource_filename. Consider a more secure " + "location (set with .set_extraction_path or the " + "PYTHON_EGG_CACHE environment variable)." % path) + warnings.warn(msg, UserWarning) @@ -56,6 +56,10 @@ from setuptools.command.test import test as _test scripts = [] console_scripts = ["easy_install = setuptools.command.easy_install:main"] + +# Gentoo distributions manage the python-version-specific scripts themselves, +# so they define an environment variable to suppress the creation of the +# version-specific scripts. if os.environ.get("SETUPTOOLS_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0") and \ os.environ.get("DISTRIBUTE_DISABLE_VERSIONED_EASY_INSTALL_SCRIPT") in (None, "", "0"): console_scripts.append("easy_install-%s = setuptools.command.easy_install:main" % sys.version[:3]) |