#13579: Python sys.path security risk
-------------------------------------------------------+--------------------
Reporter: vbraun | Owner: mvngu
Type: defect | Status: closed
Priority: blocker | Milestone:
sage-5.4
Component: doctest | Resolution: fixed
Keywords: | Work issues:
Report Upstream: Reported upstream. No feedback yet. | Reviewers: Volker
Braun, Jeroen Demeyer, David Roe
Authors: Jeroen Demeyer, Volker Braun | Merged in:
sage-5.4.rc2
Dependencies: | Stopgaps:
-------------------------------------------------------+--------------------
Comment (by leif):
Copy-pasted from sage-release:
{{{
$ env SAGE_TESTDIR=/tmp ./sage -t devel/sage/sage/tests/cmdline.py
sage -t "devel/sage/sage/tests/cmdline.py"
sys:1: RuntimeWarning: not adding directory '/private/tmp' to sys.path
since everybody can write to it.
Untrusted users could put files in this directory which might then be
imported by your Python code. As a general precaution from similar
exploits, you should not execute Python code from this directory
**********************************************************************
File
"/Users/leif/Sage/sage-5.6.beta3-vanilla/devel/sage/sage/tests/cmdline.py",
line 312:
sage: ret
Expected:
0
Got:
128
**********************************************************************
File
"/Users/leif/Sage/sage-5.6.beta3-vanilla/devel/sage/sage/tests/cmdline.py",
line 314:
sage: out.find("All tests passed!") >= 0
Expected:
True
Got:
False
**********************************************************************
File
"/Users/leif/Sage/sage-5.6.beta3-vanilla/devel/sage/sage/tests/cmdline.py",
line 317:
sage: ret
Expected:
0
Got:
128
**********************************************************************
File
"/Users/leif/Sage/sage-5.6.beta3-vanilla/devel/sage/sage/tests/cmdline.py",
line 319:
sage: out.find("All tests passed!") >= 0
Expected:
True
Got:
False
**********************************************************************
1 items had failures:
4 of 203 in __main__.example_1
***Test Failed*** 4 failures.
For whitespace errors, see the file /tmp/cmdline_77447.py
[84.3 s]
----------------------------------------------------------------------
The following tests failed:
sage -t "devel/sage/sage/tests/cmdline.py"
Total time for all tests: 84.4 seconds
Same with 'make testlong'; './sage -tp 1 ...' and 'make ptestlong' in
contrast work.
}}}
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:78>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
