[issue16202] sys.path[0] security issues

Change by Christian Heimes : -- components: -Distutils resolution: out of date -> stage: resolved -> status: closed -> open versions: +Python 3.10, Python 3.8, Python 3.9 -Python 2.7 ___ Python tracker

[issue16202] sys.path[0] security issues

Steve Dower added the comment: Distutils is now deprecated (see PEP 632) and all tagged issues are being closed. From now until removal, only release blocking issues will be considered for distutils. If this issue does not relate to distutils, please remove the component and reopen it. If

[issue16202] sys.path[0] security issues

Thomas Arendsen Hein added the comment: I just stumbled across this problem when starting "idle3" in a directory containing a copy of textwrap.py which was not compatible with python3. In issue13506 idle3 was changed to behave like the regular python shell, i.e. as

[issue16202] sys.path[0] security issues

Nick Coghlan added the comment: Reviewing the issue, I think there's still an open question regarding the way distutils handles generated script execution that may impact setuptools as, so adding Jason to the nosy list. For the "don't set sys.path[0] by default" aspect, we would need a

[issue16202] sys.path[0] security issues

Christian Heimes added the comment: What is the status of this issue? Is isolated mode (-I) a sufficient solution for you? -- versions: +Python 3.6, Python 3.7 -Python 2.6, Python 3.1, Python 3.2, Python 3.3, Python 3.4 ___ Python tracker

[issue16202] sys.path[0] security issues

Changes by Jakub Wilk jw...@jwilk.net: -- nosy: +jwilk ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___ Python-bugs-list mailing list

[issue16202] sys.path[0] security issues

Changes by Jeroen Demeyer jdeme...@cage.ugent.be: Added file: http://bugs.python.org/file27923/sys_path_security.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___

[issue16202] sys.path[0] security issues

Changes by Jeroen Demeyer jdeme...@cage.ugent.be: Removed file: http://bugs.python.org/file27536/sys_path_security.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___

[issue16202] sys.path[0] security issues

Jeroen Demeyer added the comment: I updated sys_path_security.patch by a newer version. This version will be merged in the Python package of Sage (http://www.sagemath.org/). I realise that it looks unlikely that it will be merged in CPython, but at least it's here for reference. --

[issue16202] sys.path[0] security issues

Jan Lieskovsky added the comment: Jeroen, just out of curiosity. Is the current issue different from CVE-2008-5983 (at first quick glance it looks the be the same issue):? [1] http://bugs.python.org/issue5753 Thank you, Jan. -- Jan iankko Lieskovsky -- nosy: +iankko

[issue16202] sys.path[0] security issues

Nick Coghlan added the comment: It's actually the same as #946373 - it's not about adding the current directory to sys.path, it's adding the directory of a script that's in a world-writable directory (such as /tmp). The difference is that the proposed solution this time recognises that simply

[issue16202] sys.path[0] security issues

Jeroen Demeyer added the comment: It's sort of the same as #946373, except that bug report deals with other bad consequences of sys.path[0], unrelated to security. #5753 is specifically about the C API, not about running plain Python. -- ___ Python

[issue16202] sys.path[0] security issues

Jeroen Demeyer added the comment: I should point out that there is also dangerous code in Lib/test/test_subprocess.py in the test_cwd() function. There, the following is executed from /tmp: python -c 'import sys,os; sys.stdout.write(os.getcwd())' As Python luckily knows where to import

[issue16202] sys.path[0] security issues

Changes by hasufell julian.osp...@googlemail.com: -- nosy: +hasufell ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___ Python-bugs-list

[issue16202] sys.path[0] security issues

Nick Coghlan added the comment: Definite +1 on distutils needing to be fixed in the upcoming maintenance releases for 2.7, 3.2 and 3.3. -1 on doing the strict path security checks on a normal invocation, -0 on doing them when -S or -E have been passed in, +0 if it is *just* a warning to users

[issue16202] sys.path[0] security issues

Nick Coghlan added the comment: Also, what's up with that weird fallback code in distutils? When is tempfile.mkdtemp ever missing? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___

[issue16202] sys.path[0] security issues

Volker Braun added the comment: When is tempfile.mkdtemp ever missing It was added in Python 2.3, in the dark ages before that there was only tempfile.mktemp. Though I guess we can remove the fallback now... -- ___ Python tracker

[issue16202] sys.path[0] security issues

Eric Snow added the comment: For 3.4, I plan to have a look at the organically-grown-over-time mess that is CPython's current interpreter initialisation system and see if I can figure out something a bit more sane and easier to configure/control (especially when embedding Python in a larger

[issue16202] sys.path[0] security issues

Jeroen Demeyer added the comment: Robert: I don't think that running scripts in /tmp is inherently unsafe. It is Python's sys.path handling which makes it unsafe. That being said, I am not against distutils being fixed but I do think the root issue should be fixed. And of course you're

[issue16202] sys.path[0] security issues

Volker Braun added the comment: The fact that Python's own testsuite tripped over this proves that this is subtle enough to merit some special handling. 1) It is not, and has never been, a good idea to run/compile anything off /tmp. This isn't specific to Python, it is just common sense that

[issue16202] sys.path[0] security issues

Changes by Hynek Schlawack h...@ox.cx: -- nosy: +hynek ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___ Python-bugs-list mailing list

[issue16202] sys.path[0] security issues

Christian Heimes added the comment: Robert Bradshaw's idea is the only feasible option for Python 2.7 or any other version except for 3.4dev. Your suggested modification to sys.path is out of option as it would create a backwards incompatibility with existing software. I'm adding 2.6 to 3.4

[issue16202] sys.path[0] security issues

Robert Bradshaw added the comment: Here's a fix to distutils. I think at least a warning is in order for running scripts from insecure directories, and ideally some happy medium can be found. -- Added file: http://bugs.python.org/file27542/fix_distutils.patch

[issue16202] sys.path[0] security issues

Christian Heimes added the comment: I'm all in favor for the proposal to add a warning when the script is in a world-writable directory. But any modification can't be added to stable version as it's a new feature. Robert, you have to cleanup and remove the directory manually at the end of the

[issue16202] sys.path[0] security issues

Jeroen Demeyer added the comment: If you don't plan any further Python-2 releases, it would be pity that this cannot be fixed. If you do plan a further Python-2 release, I find backwards compatibility a poor excuse. I'm not saying that backwards compatibility should be totally ignored, but

[issue16202] sys.path[0] security issues

Christian Heimes added the comment: Ultimately it's Benjamin's and Georg's decision. They are the release managers of 2.7 to 3.3 and need to come to an agreement. You have to convince them that the proposed security restriction is worth the risk of breaking 3rd party software. It would help

[issue16202] sys.path[0] security issues

Benjamin Peterson added the comment: disutils should definitely be fixed. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___

[issue16202] sys.path[0] security issues

Robert Bradshaw added the comment: Good point about cleanup, patch updated. -- Added file: http://bugs.python.org/file27543/fix_distutils.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202

[issue16202] sys.path[0] security issues

Changes by STINNER Victor victor.stin...@gmail.com: -- nosy: +haypo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___ Python-bugs-list

[issue16202] sys.path[0] security issues

Changes by Éric Araujo mer...@netwok.org: -- assignee: - eric.araujo components: +Distutils nosy: +eric.araujo, ncoghlan, tarek ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___

[issue16202] sys.path[0] security issues

New submission from Jeroen Demeyer: There is a serious security problem with Python's default sys.path. If I execute $ python /tmp/somescript.py then Python will add /tmp as sys.path[0], such that an import foobar will cause Python to read /tmp/foobar (or variations). This vulnerability

[issue16202] sys.path[0] security issues

Changes by Alan WiIliams astropil...@gmail.com: -- nosy: +Alan.WiIliams ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___

[issue16202] sys.path[0] security issues

Changes by Ralf Schmitt python-b...@systemexit.de: -- nosy: +schmir ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___ Python-bugs-list

[issue16202] sys.path[0] security issues

Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___ ___

[issue16202] sys.path[0] security issues

Robert Bradshaw added the comment: Alternatively, one could fix distutils.util.byte_compile() to execute the script in safe, empty temp directory. Running scripts in /tmp remains, as it has always been, a bad idea. Trying to determine if an import is safe can be arbitrarily complicated (e.g.

[issue16202] sys.path[0] security issues

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16202 ___