Nick Coghlan <[email protected]> added the comment:
Good catch Eryk, I misdiagnosed what was going on, since the current directory
and the parent directory were the same location in Ned's particular example.
I double checked, and we resolve symlinks in path entries *before* performing
the incorrect directory traversal ("..." below indicates the usual standard
path entries, "/tmp" is the unexpected entry introduced by the bug), so it
isn't possible to use a symlink to get a user-controlled directory onto the
path:
```
$ ./python /tmp/spam
/tmp/spam
/tmp
...
$ ln -s /tmp/spam /tmp/mydir/malicious
$ ./python /tmp/mydir/malicious
/tmp/mydir/malicious
/tmp
...
```
That means that as far as I can tell, this is just a plain old bug, rather than
a potential security concern (since privileged admin-controlled commands tend
generally live in admin-controlled directories, as if they didn't, potential
attackers would be able to replace them with arbitrary code directly)
----------
title: Zipfile & directory execution in 3.5.4 adds the current directory to
sys.path -> Zipfile & directory execution in 3.5.4 also adds the parent
directory to sys.path
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue32551>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
