On 25 February 2016 at 07:14, M.-A. Lemburg <m...@egenix.com> wrote: > On 24.02.2016 21:39, Cory Benfield wrote: >> >>> On 24 Feb 2016, at 12:19, M.-A. Lemburg <m...@egenix.com> wrote: >>> >>> On 24.02.2016 12:28, Cory Benfield wrote: >>>> I’m not entirely sure this is accurate. Specifically, an attacker that is >>>> able to set environment variables but nothing else (no filesystem access) >>>> would be able to disable hostname validation. To my knowledge this is the >>>> only environment variable that could be set that would do that. >>> >>> An attacker with access to the OS environment of a process would >>> be able to do lots of things. I think disabling certificate checks >>> is not one of the highest ranked attack vectors you'd use, given >>> such capabilities :-) >>> >>> Think of LD_PRELOAD attacks, LD_LIBRARY_PATH manipulations, shell PATH >>> manipulations (think spawned processes), compiler flag manipulations >>> (think "pip install sourcepkg"), OpenSSL reconfiguration, etc. >> >> To be clear, I’m not suggesting that this represents a reason not to do any >> of this, just that we should not suggest that there is no risk here: there >> is, and it is a new attack vector. > > Fair enough :-)
I tweaked the explanation of that security caveat: https://hg.python.org/peps/rev/a24451715d84 (and then tweaked the tweak to replace "the main" with "a key"). I didn't mention the prospect of reading sensitive data from the environment, as the specific problem we're introducing is with write access, and I believe certainly flavours of vulnerability can give the ability to do blind writes to the environment without necessarily gaining the ability to dump arbitrary details about that environment. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
