[issue25288] readline.py file in current directory caused unexpected code execution.

[Akira Li]

Akira Li added the comment:

python3 -I

could be used as a workaround.

--
nosy: +akira

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25288] readline.py file in current directory caused unexpected code execution.

[Xiang Zhang]

Xiang Zhang added the comment:

I can reproduce this action on Ubuntu.

The forged readline.py in python's execution directory can steal the
permission of python and do something dangerous.

--
nosy: +xiang.zhang

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25288] readline.py file in current directory caused unexpected code execution.

[R. David Murray]

R. David Murray added the comment:

Well, so much for my memory :(.

The actual discussion was in issue 12238, where *my* conclusion was that this 
should be fixed (readline should be special cased), but the issue is still open.

Patches welcome :)

--
resolution:  -> duplicate
stage:  -> resolved
status: open -> closed
superseder:  -> Readline module loading in interactive mode

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25288] readline.py file in current directory caused unexpected code execution.

[R. David Murray]

R. David Murray added the comment:

This is not a bug, this is the way python works.  When running in interactive 
mode (only) the current directory is first on the path.

Now, should this behavior be changed?  I think we've discussed this before and 
decided not to change it (for backward compatibility reasons), but I think 
there was dissent and that increasing emphasis on security since that 
discussion might argue for a different outcome.  It's a python-dev mailing list 
level issue, in any case.

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25288] readline.py file in current directory caused unexpected code execution.

[Hiroki Kiyohara]

Hiroki Kiyohara added the comment:

I see. Thank you very much, guys.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25288] readline.py file in current directory caused unexpected code execution.

[Hiroki Kiyohara]

New submission from Hiroki Kiyohara:

Running `python` interpreter will import `readline.py` file in current 
directory.
It causes unexpected code execution.

This problem is reported by 'Japan Vulnerability Notes' as a bug on
Windows version Python http://jvn.jp/jp/JVN49503705/

It says that when we run Windows version python will import `readline.pyd` file 
in current directory. And it may run unexpected codes with permission assigned 
to python.exe.

The line causing this problem may be...
https://github.com/python/cpython/blob/2.7/Lib/code.py#L303


Should it be considered as vulnerability of python (or Windows version python)?

--
messages: 252012
nosy: Hiroki Kiyohara
priority: normal
severity: normal
status: open
title: readline.py file in current directory caused unexpected code execution.
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com