Is this a security risk with Python too?

Jeff Epler jepler at unpythonic.net
Fri Aug 16 22:52:33 CEST 2002


On Fri, Aug 16, 2002 at 09:39:33PM +0400, Roman Suzi wrote:
> Still I think it's more serious. Look at this:
> 
> $ echo '0/0' > re.py
> $ python2
> Python 2.2.1 (#1, May 21 2002, 09:12:04)
> >>> import re
> >>> re.compile("123")
> Traceback (most recent call last):
>   File "<stdin>", line 1, in ?
> AttributeError: 'module' object has no attribute 'compile'
> >>>

If you run Python interactively, the current directory is placed as the
first entry on sys.path.

If you run a script with
    python2 /.../blah.py
then the directory where blah.py is sys.path[0], instead of '.'.

Of course, if the program uses Tkinter (or makybe if it can simply be
talked into importing it), then it is vulnerable to any security problem
that tcl has.

On Unix, you can of course symlink any script to a directory you can
write to:
    ln -s /.../blah.py .
    python2 ./blah.py
will put '.' in sys.path[0].  You can also set PYTHONPATH to insert
directories just after sys.path[0].

If you're talking about using a program with a setuid wrapper like the
one in Misc/setuid-prog.c, it should not be vulnerable to either of
these two ways to set sys.path entries.  If you're talking about
tricking root or another user into running a script while in a directory
you have write access to, that problem doesn't seem to exist in Python
because it lets sys.path[0] be the directory of the script, not always
'.'.

Jeff




More information about the Python-list mailing list