[New-bugs-announce] [issue33247] File "<string>" is opened and read unconditionally

Sławomir Nizio report at bugs.python.org
Mon Apr 9 03:48:52 EDT 2018

New submission from Sławomir Nizio <poczta-sn at gazeta.pl>:

This may lead to e.g. DoS or data leak.

When an exception occurs, the Python interpreter displays the stack trace:

$ python3 a.py
Traceback (most recent call last):
  File "a.py", line 2, in <module>
ZeroDivisionError: division by zero

and does so also when there is no source file:

$ python3 -c 'print(1/0)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ZeroDivisionError: division by zero

It opens the file in question to read the needed bits, and an the latter
case it tries to open file named literally <string>.

There is a possibility of a denial of service (a), data leak (b) and
other types of problems (c).

a) If "<string>" is a symbolic link for example to /dev/stdin or an
"empty" fifo, the script hangs.

$ ln -s /dev/stdin '<string>'
$ python3 -c 'print(1/0)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>

# hangs here

b) If <string> is a symbolic link, its content will be read as well.
This can be a file with some kind of secret data, readable by the user
executing the script, but which should not be normally displayed to
screen (or for example sent back with HTTP to display the error message).

User who can run a certain script (for example using sudo) that calls
python -c as root or other user may be able to see parts of otherwise
inaccessible files.

c) Other attacks (or misbehaviour) is possible, for example file
<string> could be a symbolic link to a device file which upon reading
triggers some system wide action.

An interesting possiblity (if not necessarity a security issue by
itself) is a way to trick a user about the cause of the exception, like
in the example.

$ echo 'print(0/1)' > '<string>'
$ python3 -c 'print(1/0)'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ZeroDivisionError: division by zero

As it turns out, the file doesn't need to be in the current directory
but anywhere in sys.path.

I was able to confirm the behaviour on all versions I tried: 2.7.14,
3.5.4 and 3.6.5.

This is in a way similar to the problem with Python modules loaded from
current working directory:
	https://bugs.python.org/issue16202 (sys.path[0] security issues)
but the essential differences are that:
- upon validation system (e.g. a server) may reject Python files but
leave out "<string>,"
- system can sanitize sys.path which helps with the sys.path[0] bug but
not the one being described.

components: Interpreter Core
messages: 315113
nosy: snizio
priority: normal
severity: normal
status: open
title: File "<string>" is opened and read unconditionally
type: security

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list