Message 335271 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Gabriel Corona
Recipients	Gabriel Corona
Date	2019-02-11.21:46:00
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1549921560.53.0.488831977782.issue35971@roundup.psfhosted.org>
In-reply-to

Content
The CLI tools shipped in Debian python-rdflib-tools package can load modules from the current directory [1]: $ echo 'print("Something")' > cgi.py $ rdf2dot INFO:rdflib:RDFLib Version: 4.2.2 Something Reading from stdin as None... This could be a security issue because an attacker could possibly exploit this behavior to execute arbitrary code. This happens because these CLI tools are implemented as: #!/bin/sh exec /usr/bin/python -m rdflib.tools.rdfpipe $* "python -m $module", "python -c $code" and "$command \| python" prepend the current working directory in the Python path. The Python documentation [2] should probably warn about this. In Python 3, "-I" could be suggested to prevent the script/current directory to be added to the Python path. However, this flag has other effects. The Python documentation suggests "python -m" commands at some places [3-5]: some form of warning at those places might be nice as well. See the related behavior of Perl. Perl used to include "." in @INC but this was removed for security reasons [6]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921751. [2] https://docs.python.org/3/using/cmdline.html [3] https://docs.python.org/3.1/library/json.html [4] https://docs.python.org/3/library/http.server.html [5] https://docs.python.org/3/library/zipapp.html [6] https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-%28%22.%22%29-from-@INC

The CLI tools shipped in Debian python-rdflib-tools package can load modules from the current directory [1]:

    $ echo 'print("Something")' > cgi.py
    $ rdf2dot
    INFO:rdflib:RDFLib Version: 4.2.2
    Something
    Reading from stdin as None...

This could be a security issue because an attacker could possibly exploit this behavior to execute arbitrary code.

This happens because these CLI tools are implemented as:

    #!/bin/sh
    
    exec /usr/bin/python -m rdflib.tools.rdfpipe $*

"python -m $module", "python -c $code" and "$command | python" prepend the current working directory in the Python path. The Python documentation [2] should probably warn about this. In Python 3, "-I" could be suggested to prevent the script/current directory to be added to the Python path. However, this flag has other effects.

The Python documentation suggests "python -m" commands at some places [3-5]: some form of warning at those places might be nice as well.

See the related behavior of Perl. Perl used to include "." in @INC but this was removed for security reasons [6].


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921751.
[2] https://docs.python.org/3/using/cmdline.html
[3] https://docs.python.org/3.1/library/json.html
[4] https://docs.python.org/3/library/http.server.html
[5] https://docs.python.org/3/library/zipapp.html
[6] https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-%28%22.%22%29-from-@INC

History
Date	User	Action	Args
2019-02-11 21:46:00	Gabriel Corona	set	recipients: + Gabriel Corona
2019-02-11 21:46:00	Gabriel Corona	set	messageid: <1549921560.53.0.488831977782.issue35971@roundup.psfhosted.org>
2019-02-11 21:46:00	Gabriel Corona	link	issue35971 messages
2019-02-11 21:46:00	Gabriel Corona	create