[IPython-dev] Insecure loading of mathjax
Kyle Kelley
rgbkrk at gmail.com
Fri Aug 1 16:57:10 EDT 2014
Hey all,
As reported in https://github.com/ipython/ipython/issues/6246, MathJax will
load over HTTP if using the notebook with an unecncrypted connection (e.g.
http://127.0.0.1:8888). Someone with an appropriate network position (the
router at your local internet cafe for example) could modify the mathjax
javascript before it gets to you, adding their own javascript. This would
result in being able to run code on your IPython kernel with just a little
bit of javascript (`IPython.notebook.kernel.execute(code)`).
This issue was fixed in the git master branch (development branch for
upcoming v. 2.2) with commit cf793ebc4, on 7/31/2014:
https://github.com/ipython/ipython/commit/cf793ebc4f9e8483f104667e4c73748357fa8c56
Mitigations:
* Run the notebook with SSL (see
http://ipython.org/ipython-doc/2/notebook/public_server.html#securing-a-notebook-server).
This will load MathJax over SSL via the MathJax CDN.
* Install mathjax locally
from IPython.external.mathjax import install_mathjax
install_mathjax()
We have requested a CVE for this via the oss-security mailing list.
--
Kyle Kelley (@rgbkrk; http://lambdaops.com)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140801/ee662e40/attachment.html>
More information about the IPython-dev
mailing list