Serious privacy leak in Python for Windows

Richard M. Smith rms at computerbytesman.com
Tue Jan 15 17:04:36 EST 2002 

Hello,

There is a privacy leak problem in many Python implementations for
Windows which allow a malicious Web page or HTML email message to read
the contents of file from a user's hard drive and send the contents back
to a Web site.  The problem occurs in Windows Python implementations
that supports Python as a scripting language for Web pages in Internet
Explorer.

The problem exists because the Python runtime library does not consider
file read operations to be a security risk.  File read operations are
allowed to execute on a Web page without restriction. File write
operations, on the other hand, are blocked.

For example, the following Python code on a Web page will run
successfully:

   <SCRIPT language=python>
   import __builtin__
   myfile = __builtin__.open("c:\\autoexec.bat")
   document.write(str(myfile.readlines()))
   myfile.close()
   </SCRIPT>

This particular example opens the file c:\autoexec.bat and writes the
file contents to the Web page.  The program could easily be changed to
send the contents of the file back to a Web site by using an HTML form,
a Web bug, or the Microsoft XML HTTP ActiveX control.

Here is a second example, that shows a directory listing of C:\ on a Web
page:

   <SCRIPT language=python>
   import os
   for file in os.listdir("c:\\"):
      document.writeln(file, "<br>");
   </SCRIPT>

This directory listing example is available online to test to see if a
particular computer system is vulnerable to the problem or not:

   http://www.computerbytesman.com/privacy/pythondirdemo.htm

To fix this privacy leak, the Python runtime library should block all
file operations when Python code is being used on a Web page, not just
file write operations.

There might also be workarounds to this problem either in Microsoft's
ActiveScripting support in IE or in the Python runtime library. 
However, I am not an expert on either technology to know what these
work-arounds might be.  Please drop me an email if you have any
suggestions.

Richard M. Smith
http://www.computerbytesman.com

More information about the Python-list mailing list