github/gallery-dl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoid possible sensitive information disclosure via cache.file

Browse Source 
Previously cache.file could be created world readable leading to
possible sensitive information disclosure on multi-user systems.
Restrict permissions only to the owner by creating an empty file.

Please note that cache.file created before this commit may need a
`chmod 600' or similar!
This commit is contained in:
Leonardo Taccari
2019-07-29 12:58:45 +02:00
committed by Mike Fährmann
parent 2153206093
commit afce1ee1eb
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
gallery_dl/cache.py
View File

@@ -9,6 +9,7 @@
"""Decorators to keep function results in an in-memory and database cache""" """Decorators to keep function results in an in-memory and database cache"""
import sqlite3 import sqlite3
import pathlib
import pickle import pickle
import time import time
import functools import functools
@@ -198,7 +199,9 @@ def _path():
try: try:
dbfile = _path()
pathlib.Path(dbfile).touch(mode=0o600)
DatabaseCacheDecorator.db = sqlite3.connect( DatabaseCacheDecorator.db = sqlite3.connect(
_path(), timeout=30, check_same_thread=False) dbfile, timeout=30, check_same_thread=False)
except (TypeError, sqlite3.OperationalError): except (PermissionError, TypeError, sqlite3.OperationalError):
cache = memcache # noqa: F811 cache = memcache # noqa: F811