Message239005
>> import platform
>>> print 'Actual =>',platform.uname()
Actual => ('Linux', 'toshiba-laptop', '3.13.0-24-generic', '#47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014', 'x86_64', 'x86_64')
>>> import hack_uname
# Someone imports my module unaware of the hack (see attached file)
>>> platform.uname()
('Limux', 'hacker-laptop', '11.15.0-28000-absurd', '#10000 - FunkyDistro SMMP Fry Feb 30 2015 23:59:00 UTC 2015', 'x866_64', 'x866_64')
Fix - Make the global _uname_cache inaccessible via the module and hence unwriteable. I can provide a patch - it is kind of easy fix.
I think this might also be a security issue since if someone is writing a significant piece of code based on the platform it can screw up the system - or his web application if a piece of code like this is introduced in a module via his chain of imports by a malicious hacker. |
|
Date |
User |
Action |
Args |
2015-03-23 10:37:50 | pythonhacker | set | recipients:
+ pythonhacker |
2015-03-23 10:37:50 | pythonhacker | set | messageid: <1427107070.63.0.510567117775.issue23748@psf.upfronthosting.co.za> |
2015-03-23 10:37:50 | pythonhacker | link | issue23748 messages |
2015-03-23 10:37:50 | pythonhacker | create | |
|