Initially created token file is world readable on Unix

pawelad / pymonzo

Modern Python API client for Monzo public API.

https://pymonzo.pawelad.dev/

Mozilla Public License 2.0

21 stars 21 forks source link

Initially created token file is world readable on Unix #20

Closed nomis closed 9 months ago

nomis commented 6 years ago

The token file is created without specifying a mask so it will usually be world readable on Unix systems.

ghost commented 6 years ago

Could this possibly be fixed by adding something along the lines of: os.chmod(path, 0o600) 1 To prevent the file from being world readable or have I got the permissions incorrect?

nomis commented 6 years ago

No, chmod after creation is not sufficient.

Call os.umask(0o077) any time before opening it.

pawelad commented 9 months ago

First of all, sorry for replying so late. The library was essential not supported since ~2017. I had some free time recently though and decided to give it some love and release v1.0.0

This should be fixed: https://github.com/pawelad/pymonzo/blob/a3a609d07e1c07c06451ba551cd9ed5eda363f2b/src/pymonzo/settings.py#L49-L59