oauth: CacheFile should not store tokens world-readable, should store atomically

hiteshjoshi / goauth2

Automatically exported from code.google.com/p/goauth2

BSD 3-Clause "New" or "Revised" License

0 stars 0 forks source link

oauth: CacheFile should not store tokens world-readable, should store atomically #14

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

CacheFile.PutToken uses os.Create, which creates a world-readable file. Storing 
oauth secrets in world-readable files is a bad idea.

Attached diff world-readable.diff fixes that.

But that's not all. PutToken can also leave a partially-written file around. 
Attached diff atomic-write.diff fixes that (diffed against tip, not on top of 
the other diff).

Original issue reported on code.google.com by tommi.vi...@gmail.com on 24 Feb 2013 at 6:21

Attachments:

GoogleCodeExporter commented 9 years ago

PutToken should also check .Close error return. New patch attached.

Original comment by tommi.vi...@gmail.com on 24 Feb 2013 at 6:27

Attachments:

atomic-write-2.diff

GoogleCodeExporter commented 9 years ago

Well observed, please follow these instructions to send a CL so that you can be 
appropriately attributed for your work: http://golang.org/doc/contribute.html 
(a lot of text, but quite simple).

Thanks.

Original comment by a...@golang.org on 25 Feb 2013 at 12:46

Changed title: oauth: CacheFile should not store tokens world-readable, should store atomically
Changed state: Accepted
Added labels: Priority-High
Removed labels: Priority-Medium