This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ncoghlan
Recipients brett.cannon, christian.heimes, eryksun, larry, ncoghlan, nedbat, petr.viktorin, steve.dower
Date 2018-01-17.03:42:23
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1516160543.9.0.467229070634.issue32551@psf.upfronthosting.co.za>
In-reply-to
Content 
Good catch Eryk, I misdiagnosed what was going on, since the current directory and the parent directory were the same location in Ned's particular example.

I double checked, and we resolve symlinks in path entries *before* performing the incorrect directory traversal ("..." below indicates the usual standard path entries, "/tmp" is the unexpected entry introduced by the bug), so it isn't possible to use a symlink to get a user-controlled directory onto the path:

```
$ ./python /tmp/spam
/tmp/spam
/tmp
...
$ ln -s /tmp/spam /tmp/mydir/malicious
$ ./python /tmp/mydir/malicious
/tmp/mydir/malicious
/tmp
...
```

That means that as far as I can tell, this is just a plain old bug, rather than a potential security concern (since privileged admin-controlled commands tend generally live in admin-controlled directories, as if they didn't, potential attackers would be able to replace them with arbitrary code directly)
History
Date User Action Args
2018-01-17 03:42:24ncoghlansetrecipients: + ncoghlan, brett.cannon, larry, christian.heimes, nedbat, petr.viktorin, eryksun, steve.dower
2018-01-17 03:42:23ncoghlansetmessageid: <1516160543.9.0.467229070634.issue32551@psf.upfronthosting.co.za>
2018-01-17 03:42:23ncoghlanlinkissue32551 messages
2018-01-17 03:42:23ncoghlancreate