Message 260703 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jbeck
Recipients	jbeck
Date	2016-02-22.22:50:17
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1456181417.61.0.91952600054.issue26414@psf.upfronthosting.co.za>
In-reply-to

Content
A bug has been filed against Solaris' internal version of Python, which is largely the same (including in this case) as the base version we get from python.org. The bug is that os.defpath starts with ':' and thus any Python script run with a null PATH environment variable will use the current working directory as its first entry. This is generally considered to be bad practice, and especially dangerous for anyone running with root privileges on a Unix box. So we intend to change Solaris' version of Python to elide this, i.e., to apply the attached patch to our 2.7 version and comparable patches to our 3.4 and 3.5 versions As a precaution, I queried the security list before filing this bug, asking: * Is this intentional? (Seems like it but I couldn't find any documentation to confirm.) * If so, why? (Feel free to point me to any docs I missed.) * If it is intentional, and we were to change our version anyway, do you know of any gotchas we should look out for? There were no regressions when I ran the Python test suite. and got the following reply: --- From: Guido van Rossum <guido@python.org> Date: Sat, 20 Feb 2016 09:29:11 -0800 Subject: Re: [PSRT] os.defpath too permissive Wow. That looks like something really old. I think you can just file an issue with a patch for this at bugs.python.org. I agree that it should be fixed. I don't think there are many users that would be vulnerable, nor do I think that much code would break; the only use in the stdlib has os.environ.get("PATH", os.defpath) so in all practical cases it would get the user's $PATH variable (which is presumably safe) anyway. --- So I am now filing this bug as suggested.

A bug has been filed against Solaris' internal version of Python, which is
largely the same (including in this case) as the base version we get from
python.org.  The bug is that os.defpath starts with ':' and thus any Python
script run with a null PATH environment variable will use the current
working directory as its first entry.  This is generally considered to
be bad practice, and especially dangerous for anyone running with root
privileges on a Unix box.  So we intend to change Solaris' version of
Python to elide this, i.e., to apply the attached patch to our 2.7 version
and comparable patches to our 3.4 and 3.5 versions

As a precaution, I queried the security list before filing this bug, asking:

* Is this intentional?  (Seems like it but I couldn't find any documentation
  to confirm.)
* If so, why?  (Feel free to point me to any docs I missed.)
* If it is intentional, and we were to change our version anyway, do you know
  of any gotchas we should look out for?  There were no regressions when I
  ran the Python test suite.

and got the following reply:

---
From: Guido van Rossum <guido@python.org>
Date: Sat, 20 Feb 2016 09:29:11 -0800
Subject: Re: [PSRT] os.defpath too permissive

Wow. That looks like something really old. I think you can just file
an issue with a patch for this at bugs.python.org. I agree that it
should be fixed. I don't think there are many users that would be
vulnerable, nor do I think that much code would break; the only use in
the stdlib has os.environ.get("PATH", os.defpath) so in all practical
cases it would get the user's $PATH variable (which is presumably
safe) anyway.
---

So I am now filing this bug as suggested.

History
Date	User	Action	Args
2016-02-22 22:50:17	jbeck	set	recipients: + jbeck
2016-02-22 22:50:17	jbeck	set	messageid: <1456181417.61.0.91952600054.issue26414@psf.upfronthosting.co.za>
2016-02-22 22:50:17	jbeck	link	issue26414 messages
2016-02-22 22:50:17	jbeck	create