#13579: Python sys.path security risk
-------------------------------------+-------------------------------------
Reporter: vbraun | Owner: mvngu
Type: defect | Status: closed
Priority: blocker | Milestone: sage-5.4
Component: doctest coverage | Resolution: fixed
Keywords: | Merged in: sage-5.4.rc2
Authors: Jeroen Demeyer, | Reviewers: Volker Braun, Jeroen
Volker Braun | Demeyer, David Roe
Report Upstream: Reported | Work issues:
upstream. No feedback yet. | Commit:
Branch: | Stopgaps:
Dependencies: |
-------------------------------------+-------------------------------------
Description changed by jdemeyer:
Old description:
> `test_executable` runs various executables in `/tmp`. When running a
> script, Python puts the directory containing that script in `sys.path`.
> Therefore, it is trivial for any user to have code executed by the user
> running the doctests. For example:
> {{{
> [eviluser@hostname ~]$ echo 'print "EVIL!!"' > /tmp/socket.py
> ...
> [vbraun@hostname ~]$ sage -t -force_lib devel/sage/sage/tests/cmdline.py
> sage -t -force_lib "devel/sage/sage/tests/cmdline.py"
> **********************************************************************
> File "/home/vbraun/opt/sage-5.4.beta1/devel/sage/sage/tests/cmdline.py",
> line 248:
> sage: print out
> Expected:
> 1
> Got:
> EVIL!!
> }}}
> `test_executable` should securely create a temp directory and run the
> executable in there.
>
> '''Apply''':
> 1. [attachment:13579_sagelib.patch] to the Sage library.
> 1. [attachment:13579_scripts.patch] to Sage scripts (`local/bin`).
> 1. new spkg:
> [http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p1.spkg]
> (patch added: [attachment:sys_path_security.patch])
>
> ''Reported upstream'': [http://bugs.python.org/issue16202]
New description:
`test_executable` runs various executables in `/tmp`. When running a
script, Python puts the directory containing that script in `sys.path`.
Therefore, it is trivial for any user to have code executed by the user
running the doctests. For example:
{{{
[eviluser@hostname ~]$ echo 'print "EVIL!!"' > /tmp/socket.py
...
[vbraun@hostname ~]$ sage -t -force_lib devel/sage/sage/tests/cmdline.py
sage -t -force_lib "devel/sage/sage/tests/cmdline.py"
**********************************************************************
File "/home/vbraun/opt/sage-5.4.beta1/devel/sage/sage/tests/cmdline.py",
line 248:
sage: print out
Expected:
1
Got:
EVIL!!
}}}
`test_executable` should securely create a temp directory and run the
executable in there.
'''Apply''':
1. [attachment:13579_sagelib.patch] to the Sage library.
1. [attachment:13579_scripts.patch] to Sage scripts (`local/bin`).
1. new spkg:
[http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p1.spkg]
(patch added: [attachment:sys_path_security.patch])
''Reported upstream'': [http://bugs.python.org/issue16202]
''See also'': [https://github.com/ipython/ipython/issues/7044]
--
--
Ticket URL: <http://trac.sagemath.org/ticket/13579#comment:84>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-trac.
For more options, visit https://groups.google.com/d/optout.
