Configuration file should not be world readable

[kseistrup]

The command pocket-cli configure by default leaves ~/.pocket-config file world readable:

$ ls -l ~/.pocket-config
-rw-r--r-- 1 kseistrup kseistrup 166 Feb 20 11:29 /home/kseistrup/.pocket-config

Since this file contains sensitive information (consumer_key and access_token) the file should be made readable only by the user (umask 0077) or at most by the user and their group (umask 0027) by setting thwe umask before creating the file.

E.g.,

diff --git a/pocket_cli/config.py b/pocket_cli/config.py
index 08ad61a..e572b2b 100644
--- a/pocket_cli/config.py
+++ b/pocket_cli/config.py
@@ -29,7 +29,9 @@ class Configs:
         self._config_parser.set(self._section_name, name, str(value))

     def write(self):
+        old_umask = os.umask(int('0077', 8))
         self._config_parser.write(open(self._get_file_path(), 'w'))
+        _ = os.umask(old_umask)

     def _get_file_path(self):
         return '{}/.pocket-config'.format(os.path.expanduser('~'))

The reason for using the cryptic int('0077', 8) is that octal 0077 is presented like that in Python 2, while Python 3 uses 0o077 (which isn't recognized by Python 2).

[rakanalh]

You're right from a security perspective. I'll take your suggestion into account.

Thanks!