[sage-trac] Re: [Sage] #13579: test_executable security risk

[Sage]

#13579: test_executable security risk
------------------------------------------------+---------------------------
       Reporter:  vbraun                        |         Owner:  mvngu         
              
           Type:  defect                        |        Status:  needs_review  
              
       Priority:  blocker                       |     Milestone:  sage-5.4      
              
      Component:  doctest                       |    Resolution:                
              
       Keywords:                                |   Work issues:                
              
Report Upstream:  N/A                           |     Reviewers:  Volker Braun, 
Jeroen Demeyer
        Authors:  Jeroen Demeyer, Volker Braun  |     Merged in:                
              
   Dependencies:                                |      Stopgaps:                
              
------------------------------------------------+---------------------------
Description changed by vbraun:

Old description:

> `test_executable` runs various executables in `/tmp`. When running a
> script, Python puts the directory containing that script in `sys.path`.
> Therefore, it is trivial for any user to have code executed by the user
> running the doctests. For example:
> {{{
> [eviluser@hostname ~]$ echo 'print "EVIL!!"' > /tmp/socket.py
> ...
> [vbraun@hostname ~]$ sage -t -force_lib devel/sage/sage/tests/cmdline.py
> sage -t -force_lib "devel/sage/sage/tests/cmdline.py"
> **********************************************************************
> File "/home/vbraun/opt/sage-5.4.beta1/devel/sage/sage/tests/cmdline.py",
> line 248:
>     sage: print out
> Expected:
>     1
> Got:
>     EVIL!!
> }}}
> `test_executable` should securely create a temp directory and run the
> executable in there.
>
> Attach [attachment:13579_secure_tmp.patch],
> [attachment:trac_13579_fix_test_executable.patch] to the Sage library.

New description:

 `test_executable` runs various executables in `/tmp`. When running a
 script, Python puts the directory containing that script in `sys.path`.
 Therefore, it is trivial for any user to have code executed by the user
 running the doctests. For example:
 {{{
 [eviluser@hostname ~]$ echo 'print "EVIL!!"' > /tmp/socket.py
 ...
 [vbraun@hostname ~]$ sage -t -force_lib devel/sage/sage/tests/cmdline.py
 sage -t -force_lib "devel/sage/sage/tests/cmdline.py"
 **********************************************************************
 File "/home/vbraun/opt/sage-5.4.beta1/devel/sage/sage/tests/cmdline.py",
 line 248:
     sage: print out
 Expected:
     1
 Got:
     EVIL!!
 }}}
 `test_executable` should securely create a temp directory and run the
 executable in there.

 Apply [attachment:13579_secure_tmp.patch],
 [attachment:trac_13579_fix_test_executable.patch] to the Sage library.

--

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:5>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to sage-trac@googlegroups.com.
To unsubscribe from this group, send email to 
sage-trac+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.