[issue19435] Directory traversal attack for CGIHTTPRequestHandler
Changes by Stéphane Glondu : -- nosy: +glondu ___ Python tracker <http://bugs.python.org/issue19435> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue19948] POSIX semantics of PATH search in execvpe is not respected
New submission from Stéphane Glondu:
Hello,
According to [1],
"In the cases where the other members of the exec family of functions would
fail and set errno to [ENOEXEC], the execlp() and execvp() functions shall
execute a command interpreter and the environment of the executed command shall
be as if the process invoked the sh utility using execl() as follows:
execl(, arg0, file, arg1, ..., (char *)0);"
This is not the case with os.execvp which keeps looking in PATH for other
executables. To reproduce:
1. pick some executable that exists in /usr/bin (let's say "curl")
2. prepend to PATH a directory where you put an executable file with name
"curl" and some random shell commands, without the #! line
3. run os.execvp("curl", ["curl"])
Instead of running the #!-less shell script, /usr/bin/curl is executed. With
GNU libc's execvp(), the shell script is executed. According to my
interpretation of POSIX, the shell script should be executed.
[1]
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_09_01_01
Cheers,
--
Stéphane
--
components: Library (Lib)
messages: 205819
nosy: glondu
priority: normal
severity: normal
status: open
title: POSIX semantics of PATH search in execvpe is not respected
type: behavior
versions: Python 2.7
___
Python tracker
<http://bugs.python.org/issue19948>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue19948] POSIX semantics of PATH search in execvpe is not respected
Stéphane Glondu added the comment: > What platform is this on? I'm on Linux (Debian testing). > Looking quickly through posix.execve (which is what I think gets called), it > looks like it just calls C's execve(). Yes, but I'm talking about os.execvp, here. With the search in PATH. > Also, what's your use case for this? I discovered that by accident while investigating another bug... > I realize it might be a standard behavior, but it seems like a bad idea to me. What is the bad idea? Keep looking in subsequent directories in PATH when you find a candidate for which execve() fails? Sorry, but I beg to differ, and POSIX is on my side. -- ___ Python tracker <http://bugs.python.org/issue19948> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue19948] POSIX semantics of PATH search in execvpe is not respected
Stéphane Glondu added the comment: > What is the bad idea? Keep looking in subsequent directories in PATH when you > find a candidate for which execve() fails? Sorry, but I beg to differ, and > POSIX is on my side. Sorry, I meant "Stop looking in subsequent [..]". -- ___ Python tracker <http://bugs.python.org/issue19948> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue19948] POSIX semantics of PATH search in execvpe is not respected
Stéphane Glondu added the comment: > os.execvp calls os._execvpe which calls posix.execv which calls execv. At > least that's how I think it works. I am not contesting that. This bug is about the "search the command in PATH" part. More precisely, the fact that os.execvp continues the search after execv fails. -- ___ Python tracker <http://bugs.python.org/issue19948> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
