Message 315113 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	snizio
Recipients	snizio
Date	2018-04-09.07:48:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1523260132.01.0.682650639539.issue33247@psf.upfronthosting.co.za>
In-reply-to

Content
This may lead to e.g. DoS or data leak. When an exception occurs, the Python interpreter displays the stack trace: $ python3 a.py Traceback (most recent call last): File "a.py", line 2, in <module> print(1/0) ZeroDivisionError: division by zero and does so also when there is no source file: $ python3 -c 'print(1/0)' Traceback (most recent call last): File "<string>", line 1, in <module> ZeroDivisionError: division by zero It opens the file in question to read the needed bits, and an the latter case it tries to open file named literally <string>. There is a possibility of a denial of service (a), data leak (b) and other types of problems (c). a) If "<string>" is a symbolic link for example to /dev/stdin or an "empty" fifo, the script hangs. $ ln -s /dev/stdin '<string>' $ python3 -c 'print(1/0)' Traceback (most recent call last): File "<string>", line 1, in <module> # hangs here b) If <string> is a symbolic link, its content will be read as well. This can be a file with some kind of secret data, readable by the user executing the script, but which should not be normally displayed to screen (or for example sent back with HTTP to display the error message). User who can run a certain script (for example using sudo) that calls python -c as root or other user may be able to see parts of otherwise inaccessible files. c) Other attacks (or misbehaviour) is possible, for example file <string> could be a symbolic link to a device file which upon reading triggers some system wide action. An interesting possiblity (if not necessarity a security issue by itself) is a way to trick a user about the cause of the exception, like in the example. $ echo 'print(0/1)' > '<string>' $ python3 -c 'print(1/0)' Traceback (most recent call last): File "<string>", line 1, in <module> print(0/1) ZeroDivisionError: division by zero As it turns out, the file doesn't need to be in the current directory but anywhere in sys.path. I was able to confirm the behaviour on all versions I tried: 2.7.14, 3.5.4 and 3.6.5. This is in a way similar to the problem with Python modules loaded from current working directory: https://bugs.python.org/issue16202 (sys.path[0] security issues) but the essential differences are that: - upon validation system (e.g. a server) may reject Python files but leave out "<string>," - system can sanitize sys.path which helps with the sys.path[0] bug but not the one being described.

This may lead to e.g. DoS or data leak.

When an exception occurs, the Python interpreter displays the stack trace:

$ python3 a.py
Traceback (most recent call last):
  File "a.py", line 2, in <module>
    print(1/0)
ZeroDivisionError: division by zero

and does so also when there is no source file:

$ python3 -c 'print(1/0)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ZeroDivisionError: division by zero

It opens the file in question to read the needed bits, and an the latter
case it tries to open file named literally <string>.

There is a possibility of a denial of service (a), data leak (b) and
other types of problems (c).

a) If "<string>" is a symbolic link for example to /dev/stdin or an
"empty" fifo, the script hangs.

$ ln -s /dev/stdin '<string>'
$ python3 -c 'print(1/0)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>

# hangs here

b) If <string> is a symbolic link, its content will be read as well.
This can be a file with some kind of secret data, readable by the user
executing the script, but which should not be normally displayed to
screen (or for example sent back with HTTP to display the error message).

User who can run a certain script (for example using sudo) that calls
python -c as root or other user may be able to see parts of otherwise
inaccessible files.

c) Other attacks (or misbehaviour) is possible, for example file
<string> could be a symbolic link to a device file which upon reading
triggers some system wide action.

An interesting possiblity (if not necessarity a security issue by
itself) is a way to trick a user about the cause of the exception, like
in the example.

$ echo 'print(0/1)' > '<string>'
$ python3 -c 'print(1/0)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
    print(0/1)
ZeroDivisionError: division by zero




As it turns out, the file doesn't need to be in the current directory
but anywhere in sys.path.

I was able to confirm the behaviour on all versions I tried: 2.7.14,
3.5.4 and 3.6.5.


This is in a way similar to the problem with Python modules loaded from
current working directory:
	https://bugs.python.org/issue16202 (sys.path[0] security issues)
but the essential differences are that:
- upon validation system (e.g. a server) may reject Python files but
leave out "<string>,"
- system can sanitize sys.path which helps with the sys.path[0] bug but
not the one being described.

History
Date	User	Action	Args
2018-04-09 07:48:52	snizio	set	recipients: + snizio
2018-04-09 07:48:52	snizio	set	messageid: <1523260132.01.0.682650639539.issue33247@psf.upfronthosting.co.za>
2018-04-09 07:48:51	snizio	link	issue33247 messages
2018-04-09 07:48:51	snizio	create