Feature or enhancement

Proposal:

The netrc module, when parsing the default ".netrc" file, does a security check that the file is owned by the current user if the file contains non-anonymous logins. That check is currently run once per line which contains a user other than anonymous. That means that the module issues a stat + os.getuid + pwd.getpwuid per entry in the netrc to compare whether the overall file permissions match the current user.

Because the check is just checking file permissions against the current user the same security would be provided by running the check once per netrc parse rather than once per entry.

I encountered this debugging why a script was slow to startup for a user with a large .netrc and discovered requests defaults to parsing netrc when no authentication is explicitly provided and that was triggering this behavior.

Has this already been discussed elsewhere?

No response given

Links to previous discussion of this feature:

No response

Linked PRs

• gh-139633: Run netrc file permission check only once per parse #139634