[3.11] gh-118486: Support mkdir(mode=0o700) on Windows (GH-118488) (GH-118739)

2025-12-31 04:23:37 +00:00 · 2024-05-24 01:13:18 +01:00 · 2024-05-24 01:13:18 +01:00 · 35c799d791
commit 35c799d791
parent 4762b36540
6 changed files with 103 additions and 2 deletions
--- a/Doc/library/os.rst
+++ b/Doc/library/os.rst
@ -2178,6 +2178,10 @@ features:
   platform-dependent.  On some platforms, they are ignored and you should call
   :func:`chmod` explicitly to set them.

+   On Windows, a *mode* of ``0o700`` is specifically handled to apply access
+   control to the new directory such that only the current user and
+   administrators have access. Other values of *mode* are ignored.
+
   This function can also support :ref:`paths relative to directory descriptors
   <dir_fd>`.

@ -2192,6 +2196,9 @@ features:
   .. versionchanged:: 3.6
      Accepts a :term:`path-like object`.

+   .. versionchanged:: 3.11.10
+      Windows now handles a *mode* of ``0o700``.
+

 .. function:: makedirs(name, mode=0o777, exist_ok=False)

--- a/Doc/whatsnew/3.11.rst
+++ b/Doc/whatsnew/3.11.rst
@ -899,6 +899,13 @@ os
  instead of ``CryptGenRandom()`` which is deprecated.
  (Contributed by Donghee Na in :issue:`44611`.)

+* As of 3.11.10, :func:`os.mkdir` and :func:`os.makedirs` on Windows
+  now support passing a *mode* value of ``0o700`` to apply access
+  control to the new directory. This implicitly affects
+  :func:`tempfile.mkdtemp` and is a mitigation for CVE-2024-4030.
+  Other values for *mode* continue to be ignored.
+  (Contributed by Steve Dower in :gh:`118486`.)
+

 .. _whatsnew311-pathlib:

@ -1059,6 +1066,11 @@ tempfile
  such as compression modules.
  (Contributed by Carey Metcalfe in :gh:`70363`.)

+* As of 3.11.10 on Windows, the default mode ``0o700`` used by
+  :func:`tempfile.mkdtemp` now limits access to the new directory due to
+  changes to :func:`os.mkdir`. This is a mitigation for CVE-2024-4030.
+  (Contributed by Steve Dower in :gh:`118486`.)
+

 .. _whatsnew311-threading: