Message 172686 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jdemeyer
Recipients	jdemeyer
Date	2012-10-11.20:10:22
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1349986223.57.0.879834971708.issue16202@psf.upfronthosting.co.za>
In-reply-to

Content
There is a serious security problem with Python's default sys.path. If I execute $ python /tmp/somescript.py then Python will add /tmp as sys.path[0], such that an "import foobar" will cause Python to read /tmp/foobar (or variations). This vulnerability exists in particular in distutils.util.byte_compile() with direct=False. Since the Python test suite calls this function, users running the Python test suite are vulnerable. I think the root of this issue should be fixed: Python should not simply add stuff to sys.path without checking. In prepared a patch for CPython-2.7 which only adds sys.path[0] if it seems secure to do so, by looking at file/directory permissions and ownership. In particular, it would never add /tmp to sys.path, but it would still keep the current behaviour when running a script in a directory owned by the current user with 0755 permissions. See the patch for details. I realize this goes against documented Python behaviour, but I think that a broken spec needs to be fixed. I also think that in most use cases, nothing is going to change because normally one doesn't need to import from /tmp. In any case, users can still manipulate sys.path directly. Feel free to fix this issue in a different way than my patch, but I hope you at least implement the spirit of my patch. The patch has only been tested on Linux systems. Credit goes to Volker Braun for first discovering this issue in Sage, see http://trac.sagemath.org/sage_trac/ticket/13579

There is a serious security problem with Python's default sys.path.  If I execute

$ python /tmp/somescript.py

then Python will add /tmp as sys.path[0], such that an "import foobar" will cause Python to read /tmp/foobar (or variations).  This vulnerability exists in particular in distutils.util.byte_compile() with direct=False.  Since the Python test suite calls this function, users running the Python test suite are vulnerable.

I think the root of this issue should be fixed: Python should not simply add stuff to sys.path without checking.  In prepared a patch for CPython-2.7 which only adds sys.path[0] if it seems secure to do so, by looking at file/directory permissions and ownership.  In particular, it would never add /tmp to sys.path, but it would still keep the current behaviour when running a script in a directory owned by the current user with 0755 permissions.  See the patch for details.

I realize this goes against documented Python behaviour, but I think that a broken spec needs to be fixed.  I also think that in most use cases, nothing is going to change because normally one doesn't need to import from /tmp.  In any case, users can still manipulate sys.path directly.

Feel free to fix this issue in a different way than my patch, but I hope you at least implement the spirit of my patch.  The patch has only been tested on Linux systems.

Credit goes to Volker Braun for first discovering this issue in Sage, see http://trac.sagemath.org/sage_trac/ticket/13579

History
Date	User	Action	Args
2012-10-11 20:10:24	jdemeyer	set	recipients: + jdemeyer
2012-10-11 20:10:23	jdemeyer	set	messageid: <1349986223.57.0.879834971708.issue16202@psf.upfronthosting.co.za>
2012-10-11 20:10:23	jdemeyer	link	issue16202 messages
2012-10-11 20:10:23	jdemeyer	create