New submission from Gabriel Corona :
The CLI tools shipped in Debian python-rdflib-tools package can load modules
from the current directory [1]:
$ echo 'print("Something")' > cgi.py
$ rdf2dot
INFO:rdflib:RDFLib Version: 4.2.2
Something
Reading from stdin as None...
This could be a security issue because an attacker could possibly exploit this
behavior to execute arbitrary code.
This happens because these CLI tools are implemented as:
#!/bin/sh
exec /usr/bin/python -m rdflib.tools.rdfpipe $*
"python -m $module", "python -c $code" and "$command | python" prepend the
current working directory in the Python path. The Python documentation [2]
should probably warn about this. In Python 3, "-I" could be suggested to
prevent the script/current directory to be added to the Python path. However,
this flag has other effects.
The Python documentation suggests "python -m" commands at some places [3-5]:
some form of warning at those places might be nice as well.
See the related behavior of Perl. Perl used to include "." in @INC but this was
removed for security reasons [6].
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921751.
[2] https://docs.python.org/3/using/cmdline.html
[3] https://docs.python.org/3.1/library/json.html
[4] https://docs.python.org/3/library/http.server.html
[5] https://docs.python.org/3/library/zipapp.html
[6]
https://metacpan.org/pod/release/XSAWYERX/perl-5.26.0/pod/perldelta.pod#Removal-of-the-current-directory-%28%22.%22%29-from-@INC
--
messages: 335271
nosy: Gabriel Corona
priority: normal
severity: normal
status: open
title: Documentation should warn about code injection from current working
directory
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
___
Python tracker
<https://bugs.python.org/issue35971>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
