This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients brett.cannon, christian.heimes, larry, ncoghlan, nedbat, petr.viktorin, steve.dower
Date 2018-01-16.06:32:39
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1516084359.86.0.467229070634.issue32551@psf.upfronthosting.co.za>
In-reply-to
Content
PR submitted for 3.5. Since the problem was in a full release this time (rather than a pre-release the way it was for 3.6), I've reclassified it as a security bug, since it means some previously safe operations (where no user-writable directory would end up on sys.path even without the "-I" switch) are technically unsafe.

There's a fair combination of factors required for it to actually cause a problem though:

- it only comes up if you're *not* using isolated mode (so the "workaround" is "Use isolated mode when running privileged processes", which is something we recommend doing anyway)
- it only comes up for directory or zipfile execution, *not* normal script execution
- you have to be executing an admin-controlled directory or zipfile, rather than one the user has write access to (otherwise there's no new opportunity for code injection introduced)
- for actual privilege escalation to take place as a result of the code injection, you have to be running the command with elevated privileges

That said, I suspect exactly the above may happen when using PEX files (https://github.com/pantsbuild/pex), since I can't find any reference in their code to forcing the use of isolated mode in the underlying interpreter.
History
Date User Action Args
2018-01-16 06:32:39ncoghlansetrecipients: + ncoghlan, brett.cannon, larry, christian.heimes, nedbat, petr.viktorin, steve.dower
2018-01-16 06:32:39ncoghlansetmessageid: <1516084359.86.0.467229070634.issue32551@psf.upfronthosting.co.za>
2018-01-16 06:32:39ncoghlanlinkissue32551 messages
2018-01-16 06:32:39ncoghlancreate