Message310134
Good catch Eryk, I misdiagnosed what was going on, since the current directory and the parent directory were the same location in Ned's particular example.
I double checked, and we resolve symlinks in path entries *before* performing the incorrect directory traversal ("..." below indicates the usual standard path entries, "/tmp" is the unexpected entry introduced by the bug), so it isn't possible to use a symlink to get a user-controlled directory onto the path:
```
$ ./python /tmp/spam
/tmp/spam
/tmp
...
$ ln -s /tmp/spam /tmp/mydir/malicious
$ ./python /tmp/mydir/malicious
/tmp/mydir/malicious
/tmp
...
```
That means that as far as I can tell, this is just a plain old bug, rather than a potential security concern (since privileged admin-controlled commands tend generally live in admin-controlled directories, as if they didn't, potential attackers would be able to replace them with arbitrary code directly) |
|
Date |
User |
Action |
Args |
2018-01-17 03:42:24 | ncoghlan | set | recipients:
+ ncoghlan, brett.cannon, larry, christian.heimes, nedbat, petr.viktorin, eryksun, steve.dower |
2018-01-17 03:42:23 | ncoghlan | set | messageid: <1516160543.9.0.467229070634.issue32551@psf.upfronthosting.co.za> |
2018-01-17 03:42:23 | ncoghlan | link | issue32551 messages |
2018-01-17 03:42:23 | ncoghlan | create | |
|