Message310039
PR submitted for 3.5. Since the problem was in a full release this time (rather than a pre-release the way it was for 3.6), I've reclassified it as a security bug, since it means some previously safe operations (where no user-writable directory would end up on sys.path even without the "-I" switch) are technically unsafe.
There's a fair combination of factors required for it to actually cause a problem though:
- it only comes up if you're *not* using isolated mode (so the "workaround" is "Use isolated mode when running privileged processes", which is something we recommend doing anyway)
- it only comes up for directory or zipfile execution, *not* normal script execution
- you have to be executing an admin-controlled directory or zipfile, rather than one the user has write access to (otherwise there's no new opportunity for code injection introduced)
- for actual privilege escalation to take place as a result of the code injection, you have to be running the command with elevated privileges
That said, I suspect exactly the above may happen when using PEX files (https://github.com/pantsbuild/pex), since I can't find any reference in their code to forcing the use of isolated mode in the underlying interpreter. |
|
Date |
User |
Action |
Args |
2018-01-16 06:32:39 | ncoghlan | set | recipients:
+ ncoghlan, brett.cannon, larry, christian.heimes, nedbat, petr.viktorin, steve.dower |
2018-01-16 06:32:39 | ncoghlan | set | messageid: <1516084359.86.0.467229070634.issue32551@psf.upfronthosting.co.za> |
2018-01-16 06:32:39 | ncoghlan | link | issue32551 messages |
2018-01-16 06:32:39 | ncoghlan | create | |
|