Python CGI security
Michael Ströder
michael at stroeder.com
Mon Jul 3 05:22:50 EDT 2000
Thomas Wouters wrote:
>
> On Mon, 03 Jul 2000 08:47:47 +0200, Michael Ströder <michael at stroeder.com>
> wrote:
> >"E. Jordan Bojar" wrote:
>
> >> [..] buffer overflow [..]
>
> >I'm not a C programmer at all and therefore I just naively used a
> >tool named ITS4: <URL: http://www.rstcorp.com/its4/> to find parts
> >in the Python interpreter which might have buffer overrun issues. I
> >would really like to have some discussion about the ITS4-output.
>
> If you do want to have that discussion, feel free to send me that report,
> or post it here
Ok, here are some examples from Python1.6a2 sources (see below). I'm
not a C programmer therefore such tools are my only possibility to
raise some discussion by pointing to code. Off course the tool
outputs only hints. Not every code line listed is a real security
hole.
I understand that the Python application itself is responsible for
dealing with some issues (e.g. race conditions with files) since the
Python libs only wrap some system libs. And I understand that some
of the listed functions as being dangerous are used in a safe way
with appropriate parameters.
But IMHO a discussion about security issues would be worthful.
Ciao, Michael.
----------------------------------------------------------------------
Modules/posixmodule.c:248:(Urgent) popen
Easy to run arbitrary commands through env vars.
Use fork + execve + pipes instead.
----------------
[..]
----------------
Modules/posixmodule.c:1151:(Urgent) system
Easy to run arbitrary commands through env vars. Also, potential
TOCTOU
problems.
Use fork + execve instead.
----------------
[..]
----------------
Modules/posixmodule.c:605:(Very Risky) access
Potential race condition on: path
Points of concern are:
Modules/posixmodule.c:605: access
Modules/posixmodule.c:701: chmod
Modules/posixmodule.c:1063: mkdir
Modules/posixmodule.c:1065: mkdir
Modules/posixmodule.c:1254: utime
Modules/posixmodule.c:2235: readlink
Modules/posixmodule.c:3263: statvfs
Manipulate file descriptors, not symbolic names, when possible.
----------------
[..]
----------------
Modules/main.c:117:(Very Risky) getenv
Often seen in conjunction with buffer overflows, etc.
Remember that env vars can contain arbitrary malicious input. Test
accordingly
before use.
----------------
[..]
----------------
Modules/posixmodule.c:1863:(Very Risky) getlogin
It is very easy to fool.
Don't trust its output.
----------------
[..]
----------------
Modules/parsermodule.c:1032:(Very Risky) sprintf
This function is high risk for buffer overflows
Use snprintf if available, or precision specifiers, if available.
----------------
[..]
----------------
Modules/getpath.c:186:(Very Risky) stat
Potential race condition on: filename
Points of concern are:
Modules/getpath.c:186: stat
Modules/getpath.c:216: stat
Modules/getpath.c:231: stat
Modules/main.c:194: fopen
Python/bltinmodule.c:883: fopen
Python/pythonrun.c:583: fopen
Python/traceback.c:157: fopen
Manipulate file descriptors, not symbolic names, when possible.
----------------
[..]
----------------
Modules/posixmodule.c:385:(Very Risky) strcat
This function is high risk for buffer overflows
Use strncat instead.
----------------
[..]
----------------
Modules/posixmodule.c:827:(Very Risky) strcpy
This function is high risk for buffer overflows
Use strncpy instead.
More information about the Python-list
mailing list