Message137473
Running the python binary without a script or using the -i flag will
start the process in interactive mode. The interactive mode requires an
external module to be loaded: readline.
Per default behavior, Python also tries to load this module from the current working directory (see also trace below)
strcpy(0x7fff17609ed8, ".so") = 0x7fff17609ed8
fopen64("readline.so", "rb" <unfinished ...>
SYS_open("readline.so", 0, 0666) = -2
<... fopen64 resumed> ) = 0
strcpy(0x7fff17609ed8, "module.so") = 0x7fff17609ed8
fopen64("readlinemodule.so", "rb" <unfinished ...>
SYS_open("readlinemodule.so", 0, 0666)
The module is imported in Modules/main.c line 663:
if ((Py_InspectFlag || ......
isatty(fileno(stdin))) {
PyObject *v;
v = PyImport_ImportModule("readline");
Why consider this a security bug: basically because you don't expect a
program to import a shared library from your current directory _unless_
you explicitly tell it to (e.g. import blah).
On a multi user system, someone could plant a malicious shared libraries
named "readline.so" in an attempt to hack a user that runs python in
interactive mode.
The risk obviously _very_ low but nevertheless worth to consider improving by, for example, loading readline with a more strict path? (e.g. python lib directories only?)
Niels
AN EXAMPLE:
-----------
The code below is compiled to readline.so and stored in /tmp:
void __attribute__ ((constructor)) _load();
void _load() {
printf("DING DONG!\n");
}
foo@foo:/tmp$ ls -l /tmp/readline.so
-rwxr-x--- 1 nnnnn nnn 7952 Mar 29 16:24 /tmp/readline.so
foo@foo:/tmp$ python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
DING DONG!
>>> |
|
Date |
User |
Action |
Args |
2011-06-02 11:57:40 | Niels.Heinen | set | recipients:
+ Niels.Heinen |
2011-06-02 11:57:40 | Niels.Heinen | set | messageid: <1307015860.03.0.129842780518.issue12238@psf.upfronthosting.co.za> |
2011-06-02 11:57:39 | Niels.Heinen | link | issue12238 messages |
2011-06-02 11:57:38 | Niels.Heinen | create | |
|