[New-bugs-announce] [issue35755] Remove current directory from posixpath.defpath to enhance security

STINNER Victor report at bugs.python.org
Wed Jan 16 18:41:46 EST 2019 

New submission from STINNER Victor <vstinner at redhat.com>:

Currently, posixpath.defpath is equal to:

defpath = ':/bin:/usr/bin'

It gives 3 directories:

>>> posixpath.defpath.split(posixpath.pathsep)
['', '/bin', '/usr/bin']

where the empty string means "the current directory". Trying to locate an executable from the current directory can be security issue when an attacker tries to execute arbitrary command.

The Linux exec(3) manual page contains an interesting note about the removal of the empty string from glibc 2.24 by accident:

http://man7.org/linux/man-pages/man3/execvp.3.html

NOTES

       The default search path (used when the environment does not contain
       the variable PATH) shows some variation across systems.  It generally
       includes /bin and /usr/bin (in that order) and may also include the
       current working directory.  On some other systems, the current
       working is included after /bin and /usr/bin, as an anti-Trojan-horse
       measure.  The glibc implementation long followed the traditional
       default where the current working directory is included at the start
       of the search path.  However, some code refactoring during the
       development of glibc 2.24 caused the current working directory to be
       dropped altogether from the default search path.  This accidental
       behavior change is considered mildly beneficial, and won't be
       reverted.

       (...)

Context of this issue: This discussion started from my PR 11579 which modifies the subprocess module to use posix_spawnp():
https://github.com/python/cpython/pull/11579#pullrequestreview-193261299


So I propose to replace defpath = ':/bin:/usr/bin' with defpath = '/bin:/usr/bin' which gives 2 directories:

>>> '/bin:/usr/bin'.split(posixpath.pathsep)
['/bin', '/usr/bin']

This change would only affect os.get_exec_path(), and so indirectly the subprocess module (when the executable contains no directory), *when the PATH environmant variable is not set*.

----------
components: Library (Lib)
messages: 333801
nosy: christian.heimes, giampaolo.rodola, gregory.p.smith, vstinner
priority: normal
severity: normal
status: open
title: Remove current directory from posixpath.defpath to enhance security
type: security
versions: Python 3.8

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35755>
_______________________________________

More information about the New-bugs-announce mailing list