Message 87281 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	iankko
Recipients	barry, benjamin.peterson, glyph, gregory.p.smith, iankko, loewis, pitrou, psss
Date	2009-05-05.21:00:33
SpamBayes Score	1.363909e-13
Marked as misclassified	No
Message-id	<1241557234.83.0.276883492451.issue5753@psf.upfronthosting.co.za>
In-reply-to

Content
Antoine, (re: #msg87083, #msg87084) -- while the API change is acceptable and reasonable, it doesn't solve the core of the problem. I understand the change needs to be 'backward compatible' and shouldn't break the existing Python behavior, but the current proposed patch: 1, doesn't avoid the need to fix the issue (by calling "PySys_SetArgvEx(argc, argv, 0);") in all current applications embedding Python, 2, doesn't dismiss the risk of future appearance of application, embedding Python interpreter and using it in a vulnerable way (in fact, all what it does, is adding recommendation / alternative to use more safer PySys_SetArgv(, , 0) for such cases. I don't think we can just rely on the fact, the developers will use it in a safe way in the future -- or did I overlooked something? Wouldn't be possible to fix it 'only in Python' and prevent such potential future malicious (mis)uses? To Martin (re: #msg87212): What's the question of 'security nature' of the issue, Glyph in message #msg86927 already uncovered potential implications -- if the application was written either 'by accident', or 'by intention', it shouldn't just allow to execute anything with the privileges of superuser, and even worse, doing it silently (then the only warranty for the unprivileged user would be to rely on the fact, the function was called 'in a safe way' in the application and I suppose such assumption would completely discourage him from running it). I recommend the final fix should be applied to all active Python branches (just comment on second part of Martin's comment). Regards, Jan.

Antoine,

  (re: #msg87083, #msg87084) -- while the API change is acceptable and
reasonable, it doesn't solve the core of the problem. I understand
the change needs to be 'backward compatible' and shouldn't break
the existing Python behavior, but the current proposed patch:

1, doesn't avoid the need to fix the issue (by calling
"PySys_SetArgvEx(argc, argv, 0);") in all current applications embedding
Python,

2, doesn't dismiss the risk of future appearance of application, 
embedding Python interpreter and using it in a vulnerable way
(in fact, all what it does, is adding recommendation / alternative
to use more safer PySys_SetArgv(*, *, 0) for such cases. I don't think
we can just rely on the fact, the developers will use it in a safe
way in the future -- or did I overlooked something?

Wouldn't be possible to fix it 'only in Python' and prevent such
potential future malicious (mis)uses?

To Martin (re: #msg87212):

What's the question of 'security nature' of the issue, Glyph in
message #msg86927 already uncovered potential implications --
if the application was written either 'by accident', or 'by intention',
it shouldn't just allow to execute anything with the privileges of
superuser, and even worse, doing it silently (then the only warranty
for the unprivileged user would be to rely on the fact, the function
was called 'in a safe way' in the application and I suppose such
assumption would completely discourage him from running it).

I recommend the final fix should be applied to all active Python
branches (just comment on second part of Martin's comment).

Regards, Jan.

History
Date	User	Action	Args
2009-05-05 21:00:35	iankko	set	recipients: + iankko, loewis, barry, gregory.p.smith, pitrou, benjamin.peterson, glyph, psss
2009-05-05 21:00:34	iankko	set	messageid: <1241557234.83.0.276883492451.issue5753@psf.upfronthosting.co.za>
2009-05-05 21:00:33	iankko	link	issue5753 messages
2009-05-05 21:00:33	iankko	create