Security issue with handling of cookie-jar

[mkomitee]

When ein authenticates to an ipython notebook server, under the hood it uses the curl and curls cookie-jar feature. This involves the creation of a file to store the cookies.

The file often ends up in $HOME/.emacs.d/request/curl-cookie-jar, but that's not always the case. The problem is, ein (and the underlying request library) doesn't do anything special to protect the files permissions.

If you use EIN from a host to which other untrusted users have access, they can steal and use the resulting cookies to execute code as you using your notebook server.

Can ein be modified to set a restrictive umask for the curl call?

[millejoh]

This is more an issue with tkf/emacs-request than it is with ein. Unfortunately, just like ein, tkf has not updated this project in 2 years. You can customize where requests stores cookies via the request-storage-directory variable and store the cookie jar in a directory that only you have access to.