On 02Sep2014 04:02, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info>
wrote:
Roy Smith wrote:
Hmmm. Didn't we just have a thread about passing external data to
shells?
$ mkdir '/tmp/;rm -rf;'
$ TMPDIR='/tmp/;rm -rf;' python
Python 2.7.3 (default, Sep 26 2013, 20:03:06)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import tempfile
f = tempfile.NamedTemporaryFile()
f.name
'/tmp/;rm -rf;/tmpW8HFTr'
Seems like a lot of trouble to go to to erase your own system. Couldn't you
just run rm -rf / on your own system prior to launching Python?
But seriously, I'm not sure what attack vector you think you have found.
By definition, this is calling out to an external application, which might
do *anything*. It needs to be used in a trusted environment, like any other
tool which calls out to external applications.
[...]
I'm not really seeing how this is a security vulnerability. If somebody can
break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment
variables, I've already lost.
[...]
Have I missed something? I really don't think this is a vulnerability, and I
don't see how using the subprocess module would make it safer.
It is not just about being hacked.
It is about being robust in the face of unusual setups.
If I were producing this function for general use (even my own personal general
use) it would need to be reliable. That includes things like $TMPDIR having
spaces in it (or other unfortunate punctuation).
On any system where people use GUIs to manipulate files and folders, having
spaces and arbitrary punctuation in pathnames is common. Pointing $TMPDIR at
such a place for a special purpose is not unreasonable.
People keep assuming injection is all about malice and being hacked. It is not.
It is also about robustness and reliability, and possible silent
failure/misfunction.
Cheers,
Cameron Simpson <c...@zip.com.au>
st...@ensoniq.com says...
| Motorcycle maintenence is an art, isn't it?
By the time you've finished, it's a black art.
- Dave Parry <d.pa...@ic.ac.uk>
--
https://mail.python.org/mailman/listinfo/python-list
