➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2015-03-23 10:37 by pythonhacker, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| hack_uname.py | pythonhacker, 2015-03-23 10:37 | |||
| Messages (6) | |||
|---|---|---|---|
| msg239005 - (view) | Author: Anand B Pillai (pythonhacker) * | Date: 2015-03-23 10:37 | |
>> import platform
>>> print 'Actual =>',platform.uname()
Actual => ('Linux', 'toshiba-laptop', '3.13.0-24-generic', '#47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014', 'x86_64', 'x86_64')
>>> import hack_uname
# Someone imports my module unaware of the hack (see attached file)
>>> platform.uname()
('Limux', 'hacker-laptop', '11.15.0-28000-absurd', '#10000 - FunkyDistro SMMP Fry Feb 30 2015 23:59:00 UTC 2015', 'x866_64', 'x866_64')
Fix - Make the global _uname_cache inaccessible via the module and hence unwriteable. I can provide a patch - it is kind of easy fix.
I think this might also be a security issue since if someone is writing a significant piece of code based on the platform it can screw up the system - or his web application if a piece of code like this is introduced in a module via his chain of imports by a malicious hacker.
|
|||
| msg239007 - (view) | Author: Anand B Pillai (pythonhacker) * | Date: 2015-03-23 10:40 | |
I am changing the type to security as I dont think this is a behaviour issue. |
|||
| msg239008 - (view) | Author: STINNER Victor (vstinner) *  |
Date: 2015-03-23 10:43 | |
we are all consenting adults here. Why do you modify a private attribute? > I am changing the type to security as I dont think this is a behaviour issue. I don't understand why do you consider that it is a security vulnerability? >>> import hack_uname # Someone imports my module unaware of the hack (see attached file) Your exploit starts by running untrusted Python code. Never do that. The vulnerability is the ability to load unstrusted Python code, not to modify the platform module. I close the issue as not a bug. |
|||
| msg239009 - (view) | Author: Anand B Pillai (pythonhacker) * | Date: 2015-03-23 11:02 | |
Hmmm... dear sir - what prevents you from adding an __all__ to the module with these cache variables excluded ? |
|||
| msg239010 - (view) | Author: Anand B Pillai (pythonhacker) * | Date: 2015-03-23 11:04 | |
Closing is an easy fix, bet on my word this would appear as a different bug, thanks for your quickie fix! |
|||
| msg239011 - (view) | Author: STINNER Victor (vstinner) * |
Date: 2015-03-23 12:18 | |
> Hmmm... dear sir - what prevents you from adding an __all__ to the module with these cache variables excluded ? You didn't understand the general philosophy, we are not hidding internals. For the specific case of platform._uname_cache, it uses the "_" prefix which is an indicator saying that "you are not supposed to modify it except if you really understand what do you". It's useful to have this variable modifiable, for unit tests for example. I don't see how adding __all__ variable to the platform would change anything. Variables prefixed by "_" are already excluded when using "from platform import *". If you don't understand the Python philosophy, please open a thread on python-ideas or even python-dev mailing list, to get a longer explanation. Read also the PEP 20. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:14 | admin | set | github: 67936 |
| 2015-03-23 12:18:47 | vstinner | set | messages: + msg239011 |
| 2015-03-23 11:04:03 | pythonhacker | set | messages: + msg239010 |
| 2015-03-23 11:02:39 | pythonhacker | set | messages: + msg239009 |
| 2015-03-23 10:43:46 | vstinner | set | status: open -> closed nosy: + vstinner messages: + msg239008 resolution: not a bug |
| 2015-03-23 10:40:32 | pythonhacker | set | type: behavior -> security messages: + msg239007 |
| 2015-03-23 10:37:50 | pythonhacker | create | |