Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.freenet.ag!87.79.20.101.MISMATCH!newsreader4.netcologne.de!news.netcologne.de!xlned.com!feeder1.xlned.com!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <cameron@cskk.homeip.net>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.001
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; '(even': 0.05; 'subject:text': 0.05; 'subject:Python': 0.06; 'finished,': 0.07; 'assuming': 0.09; 'definition,': 0.09; 'lost.': 0.09; 'spaces': 0.09; 'subject:editor': 0.09; 'python': 0.11; 'missed': 0.12; 'thread': 0.14; '-rf': 0.16; '2.7.3': 0.16; 'from:addr:cs': 0.16; 'from:addr:zip.com.au': 0.16; 'from:name:cameron simpson': 0.16; 'message-id:@cskk.homeip.net': 0.16; 'mkdir': 0.16; 'pathnames': 0.16; 'received:211.29': 0.16; 'received:211.29.132': 0.16; 'received:cskk.homeip.net': 0.16; 'received:homeip.net': 0.16; 'received:optusnet.com.au': 0.16; 'received:syd.optusnet.com.au': 0.16; 'says...': 0.16; 'simpson': 0.16; 'tempfile': 0.16; 'wrote:': 0.18; 'module': 0.19; 'passing': 0.19; 'producing': 0.19; 'import': 0.22; 'python?': 0.22; 'header:User-Agent:1': 0.23; 'cheers,': 0.24; '(or': 0.24; 'environment': 0.24; "i've": 0.25; 'header:In-Reply-To:1': 0.27; 'function': 0.29; 'external': 0.29; "i'm": 0.30; "d'aprano": 0.31; 'sep': 0.31; 'steven': 0.31; 'run': 0.32; 'not.': 0.33; 'trouble': 0.34; 'subject:with': 0.35; 'really': 0.36; 'found.': 0.36; 'received:com.au': 0.36; "didn't": 0.36; 'charset:us-ascii': 0.36; 'possible': 0.36; 'being': 0.38; 'received:211': 0.38; 'somebody': 0.38; 'to:addr:python-list': 0.38; 'files': 0.38; 'skip:- 10': 0.38; "couldn't": 0.39; 'sure': 0.39; 'to:addr:python.org': 0.39; 'system.': 0.39; 'how': 0.40; 'skip:u 10': 0.60; 'dave': 0.60; 'black': 0.61; 'content- disposition:inline': 0.62; "you've": 0.63; 'personal': 0.63; 'such': 0.63; 'face': 0.64; 'more': 0.64; 'smith': 0.68; 'unusual': 0.74; 'special': 0.74; 'hostile': 0.84; 'motorcycle': 0.84; 'seriously,': 0.84; '2013,': 0.91; 'art,': 0.91; 'silent': 0.95
Date: Tue, 2 Sep 2014 08:14:14 +1000
From: Cameron Simpson <cs@zip.com.au>
To: python-list@python.org
Subject: Re: Editing text with an external editor in Python
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <5404b4b5$0$29976$c3e8da3$5496439d@news.astraweb.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
References: <5404b4b5$0$29976$c3e8da3$5496439d@news.astraweb.com>
X-Optus-CM-Score: 0
X-Optus-CM-Analysis: v=2.1 cv=fvDlOjIf c=1 sm=1 tr=0 a=YuQlxtEQCowy2cfE5kc7TA==:117 a=YuQlxtEQCowy2cfE5kc7TA==:17 a=ZtCCktOnAAAA:8 a=PO7r1zJSAAAA:8 a=LcaDllckn3IA:10 a=GR-S967Vz9AA:10 a=BmSny5h4t2oA:10 a=kj9zAlcOel0A:10 a=vrnE16BAAAAA:8 a=kZ7UWmmPAAAA:8 a=itZzFAfdAAAA:8 a=O75JYZ03AAAA:8 a=uiQFMTxGJlwQsvJqENkA:9 a=CjuIK1q_8ugA:10 a=pyH5b1fOeEsA:10 a=1QK9hu8jtDUA:10
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.13696.1409609665.18130.python-list@python.org>
Lines: 53
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1409609665 news.xs4all.nl 2861 [2001:888:2000:d::a6]:51316
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:77416

On 02Sep2014 04:02, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote:
>Roy Smith wrote:
>> Hmmm.  Didn't we just have a thread about passing external data to
>> shells?
>>
>> $ mkdir '/tmp/;rm -rf;'
>> $ TMPDIR='/tmp/;rm -rf;' python
>> Python 2.7.3 (default, Sep 26 2013, 20:03:06)
>> [GCC 4.6.3] on linux2
>> Type "help", "copyright", "credits" or "license" for more information.
>>>>> import tempfile
>>>>> f = tempfile.NamedTemporaryFile()
>>>>> f.name
>> '/tmp/;rm -rf;/tmpW8HFTr'
>
>Seems like a lot of trouble to go to to erase your own system. Couldn't you
>just run rm -rf / on your own system prior to launching Python?
>
>But seriously, I'm not sure what attack vector you think you have found.
>By definition, this is calling out to an external application, which might
>do *anything*. It needs to be used in a trusted environment, like any other
>tool which calls out to external applications.
[...]
>I'm not really seeing how this is a security vulnerability. If somebody can
>break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment
>variables, I've already lost.
[...]
>Have I missed something? I really don't think this is a vulnerability, and I
>don't see how using the subprocess module would make it safer.

It is not just about being hacked.

It is about being robust in the face of unusual setups.

If I were producing this function for general use (even my own personal general 
use) it would need to be reliable. That includes things like $TMPDIR having 
spaces in it (or other unfortunate punctuation).

On any system where people use GUIs to manipulate files and folders, having 
spaces and arbitrary punctuation in pathnames is common. Pointing $TMPDIR at 
such a place for a special purpose is not unreasonable.

People keep assuming injection is all about malice and being hacked. It is not.  
It is also about robustness and reliability, and possible silent 
failure/misfunction.

Cheers,
Cameron Simpson <cs@zip.com.au>

Steph@ensoniq.com says...
| Motorcycle maintenence is an art, isn't it?
By the time you've finished, it's a black art.
         - Dave Parry <d.parry@ic.ac.uk>