gh-118486: Update docs for CVE-2024-4030 reference (GH-118737)

Update docs for CVE-2024-4030 reference
python · May 9, 2024 · d86b494 · d86b494
1 parent 632682c
commit d86b494
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/Doc/whatsnew/3.13.rst b/Doc/whatsnew/3.13.rst
@@ -847,6 +847,12 @@ os
  :c:func:`!posix_spawn_file_actions_addclosefrom_np`.
  (Contributed by Jakub Kulik in :gh:`113117`.)
 
+* :func:`os.mkdir` and :func:`os.makedirs` on Windows now support passing a
+ *mode* value of ``0o700`` to apply access control to the new directory. This
+ implicitly affects :func:`tempfile.mkdtemp` and is a mitigation for
+ :cve:`2024-4030`. Other values for *mode* continue to be ignored.
+ (Contributed by Steve Dower in :gh:`118486`.)
+
 os.path
 -------
 
@@ -989,6 +995,14 @@ sys
  This function is not guaranteed to exist in all implementations of Python.
  (Contributed by Serhiy Storchaka in :gh:`78573`.)
 
+tempfile
+--------
+
+* On Windows, the default mode ``0o700`` used by :func:`tempfile.mkdtemp` now
+ limits access to the new directory due to changes to :func:`os.mkdir`. This
+ is a mitigation for :cve:`2024-4030`.
+ (Contributed by Steve Dower in :gh:`118486`.)
+
 time
 ----
 

diff --git a/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst b/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst
@@ -0,0 +1,4 @@
+:func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict
+the new directory to the current user. This fixes :cve:`2024-4030`
+affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary
+directory is more permissive than the default.