Is this a security risk with Python too?

Richard Jones rjones at ekit-inc.com
Sat Aug 17 01:49:11 CEST 2002


On Sat, 17 Aug 2002 3:39 am, Roman Suzi wrote:
> On 16 Aug 2002, Bernhard Herzog wrote:
> >Gerhard HДring <gerhard.haering at opus-gmbh.net> writes:
> >> Roman Suzi wrote:
> >> > Among numerous security alerts, I saw the following:
> >
> >[current working directory on a module search path]
> >
> >> > Is this true for Python too (in some cases)?
> >>
> >> No, unless you explicitely put the working directory into Python's
> >> search path by changing PYTHONPATH or sys.path, for example.
> >
> >Or when you're running in interactive mode or the script you pass on the
> >commandline is in the working directory.
>
> Still I think it's more serious. Look at this:
>
> $ echo '0/0' > re.py
> $ python2
> Python 2.2.1 (#1, May 21 2002, 09:12:04)
>
> >>> import re
> >>> re.compile("123")
>
> Traceback (most recent call last):
>   File "<stdin>", line 1, in ?
> AttributeError: 'module' object has no attribute 'compile'
>
>
> The problem is, by default, modules in the local directory have priority
> over standard libraries. So, if the author of Python virus will call it as
> one of the standard modules and tricks me into even simply _saving_ his
> file into $HOME, Trojan could trigger by any innocent program I will try in
> the same directory!
>
> And do I need to know every Python module in order to safely name a program
> and safely run it from some directory? The same is true for *.so files.
>
> Maybe it is feasible to have two pythons: one which seeks curdir last (or
> not at all) (spython) and another - the usual one. This way system
> utilities could use Python scripts with better safety, even if they are
> copied to the current dir.

Having the local modules import last changes nothing. Any module can modify 
the "re" module when it's imported.

What you want, I believe, is to have a "secure" python that doesn't import 
from the "current directory" at all.

I say "secure" because really, if someone's got write access to your current 
dir, you're in deep poo anyway. What's to stop them writing a new "python" 
program there. Most unixes have '.' first in the user's search PATH. Ever 
notice how the "root" user doesn't though?


     Richard





More information about the Python-list mailing list