➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2015-10-01 09:26 by Hiroki Kiyohara, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Messages (6) | |||
|---|---|---|---|
| msg252012 - (view) | Author: Hiroki Kiyohara (Hiroki Kiyohara) | Date: 2015-10-01 09:26 | |
Running `python` interpreter will import `readline.py` file in current directory. It causes unexpected code execution. This problem is reported by 'Japan Vulnerability Notes' as a bug on Windows version Python http://jvn.jp/jp/JVN49503705/ It says that when we run Windows version python will import `readline.pyd` file in current directory. And it may run unexpected codes with permission assigned to python.exe. The line causing this problem may be... https://github.com/python/cpython/blob/2.7/Lib/code.py#L303 Should it be considered as vulnerability of python (or Windows version python)? |
|||
| msg252015 - (view) | Author: Xiang Zhang (xiang.zhang) *  |
Date: 2015-10-01 10:19 | |
I can reproduce this action on Ubuntu. The forged readline.py in python's execution directory can steal the permission of python and do something dangerous. |
|||
| msg252027 - (view) | Author: R. David Murray (r.david.murray) * |
Date: 2015-10-01 13:55 | |
This is not a bug, this is the way python works. When running in interactive mode (only) the current directory is first on the path. Now, should this behavior be changed? I think we've discussed this before and decided not to change it (for backward compatibility reasons), but I think there was dissent and that increasing emphasis on security since that discussion might argue for a different outcome. It's a python-dev mailing list level issue, in any case. |
|||
| msg252028 - (view) | Author: R. David Murray (r.david.murray) * |
Date: 2015-10-01 14:03 | |
Well, so much for my memory :(. The actual discussion was in issue 12238, where *my* conclusion was that this should be fixed (readline should be special cased), but the issue is still open. Patches welcome :) |
|||
| msg252077 - (view) | Author: Hiroki Kiyohara (Hiroki Kiyohara) | Date: 2015-10-02 01:04 | |
I see. Thank you very much, guys. |
|||
| msg252180 - (view) | Author: Akira Li (akira) * | Date: 2015-10-02 23:25 | |
python3 -I could be used as a workaround. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:22 | admin | set | github: 69475 |
| 2015-10-02 23:25:41 | akira | set | nosy:
+ akira messages: + msg252180 |
| 2015-10-02 01:04:04 | Hiroki Kiyohara | set | messages: + msg252077 |
| 2015-10-01 14:03:10 | r.david.murray | set | status: open -> closed superseder: Readline module loading in interactive mode messages: + msg252028 resolution: duplicate stage: resolved |
| 2015-10-01 13:55:34 | r.david.murray | set | nosy:
+ r.david.murray messages: + msg252027 |
| 2015-10-01 10:19:20 | xiang.zhang | set | nosy:
+ xiang.zhang messages: + msg252015 |
| 2015-10-01 09:26:41 | Hiroki Kiyohara | create | |