Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #77416
| Date | 2014-09-02 08:14 +1000 |
|---|---|
| From | Cameron Simpson <cs@zip.com.au> |
| Subject | Re: Editing text with an external editor in Python |
| References | <5404b4b5$0$29976$c3e8da3$5496439d@news.astraweb.com> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.13696.1409609665.18130.python-list@python.org> (permalink) |
On 02Sep2014 04:02, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote:
>Roy Smith wrote:
>> Hmmm. Didn't we just have a thread about passing external data to
>> shells?
>>
>> $ mkdir '/tmp/;rm -rf;'
>> $ TMPDIR='/tmp/;rm -rf;' python
>> Python 2.7.3 (default, Sep 26 2013, 20:03:06)
>> [GCC 4.6.3] on linux2
>> Type "help", "copyright", "credits" or "license" for more information.
>>>>> import tempfile
>>>>> f = tempfile.NamedTemporaryFile()
>>>>> f.name
>> '/tmp/;rm -rf;/tmpW8HFTr'
>
>Seems like a lot of trouble to go to to erase your own system. Couldn't you
>just run rm -rf / on your own system prior to launching Python?
>
>But seriously, I'm not sure what attack vector you think you have found.
>By definition, this is calling out to an external application, which might
>do *anything*. It needs to be used in a trusted environment, like any other
>tool which calls out to external applications.
[...]
>I'm not really seeing how this is a security vulnerability. If somebody can
>break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment
>variables, I've already lost.
[...]
>Have I missed something? I really don't think this is a vulnerability, and I
>don't see how using the subprocess module would make it safer.
It is not just about being hacked.
It is about being robust in the face of unusual setups.
If I were producing this function for general use (even my own personal general
use) it would need to be reliable. That includes things like $TMPDIR having
spaces in it (or other unfortunate punctuation).
On any system where people use GUIs to manipulate files and folders, having
spaces and arbitrary punctuation in pathnames is common. Pointing $TMPDIR at
such a place for a special purpose is not unreasonable.
People keep assuming injection is all about malice and being hacked. It is not.
It is also about robustness and reliability, and possible silent
failure/misfunction.
Cheers,
Cameron Simpson <cs@zip.com.au>
Steph@ensoniq.com says...
| Motorcycle maintenence is an art, isn't it?
By the time you've finished, it's a black art.
- Dave Parry <d.parry@ic.ac.uk>
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 02:11 +1000
Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 02:35 +1000
Re: Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 04:23 +1000
Re: Editing text with an external editor in Python Tim Chase <python.list@tim.thechases.com> - 2014-09-01 15:06 -0500
Re: Editing text with an external editor in Python alister <alister.nospam.ware@ntlworld.com> - 2014-09-02 08:35 +0000
Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 18:45 +1000
Re: Editing text with an external editor in Python alister <alister.nospam.ware@ntlworld.com> - 2014-09-03 08:06 +0000
Re: Editing text with an external editor in Python Terry Reedy <tjreedy@udel.edu> - 2014-09-02 17:14 -0400
Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-03 07:36 +1000
Re: Editing text with an external editor in Python Terry Reedy <tjreedy@udel.edu> - 2014-09-02 21:49 -0400
Re: Editing text with an external editor in Python Zachary Ware <zachary.ware+pylist@gmail.com> - 2014-09-02 22:03 -0500
Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 08:30 +1000
Re: Editing text with an external editor in Python Roy Smith <roy@panix.com> - 2014-09-01 13:06 -0400
Re: Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 04:02 +1000
Re: Editing text with an external editor in Python Cameron Simpson <cs@zip.com.au> - 2014-09-02 08:14 +1000
Re: Editing text with an external editor in Python Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-02 13:18 +1000
Re: Editing text with an external editor in Python Chris Angelico <rosuav@gmail.com> - 2014-09-02 08:25 +1000
Re: Editing text with an external editor in Python gschemenauer3@gmail.com - 2014-09-01 19:24 -0700
csiph-web