Fix for PR#111: when using the inplace option, give the new file the
same permissions as the old file, plugging a security hole.
(Not using exactly the suggested bugfix.)
diff --git a/Lib/fileinput.py b/Lib/fileinput.py
index 2e26b5b..8f73fad 100644
--- a/Lib/fileinput.py
+++ b/Lib/fileinput.py
@@ -73,7 +73,7 @@
"""
-import sys, os
+import sys, os, stat
_state = None
@@ -203,10 +203,22 @@
self._filename + (self._backup or ".bak"))
try: os.unlink(self._backupfilename)
except os.error: pass
- # The next three lines may raise IOError
+ # The next few lines may raise IOError
os.rename(self._filename, self._backupfilename)
self._file = open(self._backupfilename, "r")
- self._output = open(self._filename, "w")
+ try:
+ perm = os.fstat(self._file.fileno())[stat.ST_MODE]
+ except:
+ self._output = open(self._filename, "w")
+ else:
+ fd = os.open(self._filename,
+ os.O_CREAT | os.O_WRONLY | os.O_TRUNC,
+ perm)
+ self._output = os.fdopen(fd, "w")
+ try:
+ os.chmod(self._filename, perm)
+ except:
+ pass
self._savestdout = sys.stdout
sys.stdout = self._output
else: