Re: [Python-Dev] tarfile and directory traversal vulnerability
On Fri, Aug 24, 2007 at 07:36:41PM +0200, Jan Matejek wrote:
> once upon a time there was a known vulnerability in tar (CVE-2001-1267,
> [1]), and while tar is now long fixed, python's tarfile module is
> affected too.
>
> The vulnerability goes basically like this: If you tar a file named
> "../../../../../etc/passwd" and then make the admin untar it,
> /etc/passwd gets overwritten.
> Another variety of this bug is a symlink one: if tar contains files like:
> ./-directory -> /etc
> ./-directory/passwd
> then the "-directory" symlink would be created first and /etc/passwd
> will be overwritten once again.
tarfile currently contains no sanity checks at all. The easiest
way to attack /etc/passwd would be to give tarfile a tar created
with `tar -cPf foo.tar /etc/passwd'.
> I was wondering how to fix it.
> The symlink problem obviously applies only to extractall() method and is
> easily fixed by delaying external (or possibly all) symlink creation,
> similar to how directory attributes are delayed now.
> I've attached a draft of the patch, if you like it, i'll polish it.
Suppose we have:
foo -> /etc
foo/passwd
If creation of the foo symlink is delayed, foo/passwd will be
extracted in a directory foo which will be created implicitly.
If we create the foo symlink afterwards it will fail because foo
already exists. The best way would be to completely ignore
members and link targets that are absolute or outside the
archive's scope.
> The traversal problem is harder, and it applies to extract() method as well.
> For extractall() alone, i would use something like:
>
> if tarinfo.name.startswith('../'):
> self.extract(tarinfo, path)
> else:
> warnings.warn("non-local file skipped: %s" % tarinfo.name,
> RuntimeWarning, stacklevel=1)
>
> For extract(), i am not sure. Maybe it should throw exception when it
> encounters such file, and have a special option to extract such files
> anyway. [...]
Yes, I think that is the right way to do it.
--
Lars Gustäbel
[EMAIL PROTECTED]
A chicken is an egg's way of producing more eggs.
(Anonymous)
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] new bug tracker broken?
I've been trying to reset my password on the new RoundUp tracker, and it isn't working. Then I tried to register for a new account, and I got mail from [EMAIL PROTECTED] to confirm. When I did, I got access to a small 27-issue tracker, which seems to be the bug-tracker for the bug-tracker. Still can't get into the Python bug-tracker. Bill ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] new bug tracker broken?
It looks like you found the meta tracker rather than the python one. To reset your password for the main python tracker: http://bugs.python.org/[EMAIL PROTECTED] To report bugs, go here: http://bugs.python.org/ To register a new account, go here: http://bugs.python.org/[EMAIL PROTECTED] Note, I'm not sure if you have an account, you might need to register. To report problems about the bug tracker (ie, not python problems), go here: http://psf.upfronthosting.co.za/roundup/meta/ n -- On 8/25/07, Bill Janssen <[EMAIL PROTECTED]> wrote: > I've been trying to reset my password on the new RoundUp tracker, > and it isn't working. Then I tried to register for a new account, > and I got mail from > >[EMAIL PROTECTED] > > to confirm. When I did, I got access to a small 27-issue tracker, > which seems to be the bug-tracker for the bug-tracker. Still can't > get into the Python bug-tracker. > > Bill > ___ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/nnorwitz%40gmail.com > ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Avoiding cascading test failures
On Wed, Aug 22, 2007 at 07:44:02PM -0400, Alexandre Vassalotti wrote:
> When I was fixing tests failing in the py3k branch, I found the number
> duplicate failures annoying. Often, a single bug, in an important
> method or function, caused a large number of testcase to fail. So, I
> thought of a simple mechanism for avoiding such cascading failures.
>
> My solution is to add a notion of dependency to testcases. A typical
> usage would look like this:
>
> @depends('test_getvalue')
> def test_writelines(self):
> ...
> memio.writelines([buf] * 100)
> self.assertEqual(memio.getvalue(), buf * 100)
> ...
>
> Here, running the test is pointless if test_getvalue fails. So by
> making test_writelines depends on the success of test_getvalue, we can
> ensure that the report won't be polluted with unnecessary failures.
>
> Also, I believe this feature will lead to more orthogonal tests, since
> it encourages the user to write smaller test with less dependencies.
>
> I wrote an example implementation (included below) as a proof of
> concept. If the idea get enough support, I will implement it and add
> it to the unittest module.
>
> -- Alexandre
I like this idea.
Be sure to have an option to ignore dependancies and run all tests.
Also when skipping tests because a depedancy failed have unittest
print out an indication that a test was skipped due to a dependancy
rather than silently running fewer tests. Otherwise it could be
deceptive and appear that only one test was affected.
Greg
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] New bug tracker is active now
On Thu, Aug 23, 2007 at 10:06:01PM +0200, Erik Forsberg wrote: > "Martin v. L?wis" <[EMAIL PROTECTED]> writes: > > >> When editing my details I saw there is a field for my timezone. The > >> comment says: "this is a numeric hour offset, the default is UTC", so > >> I'm assuming it counts in whole hours (fine for me, not so fine for > >> people in e.g. India, unless it accepts decimal notation). I have two > >> issues with this: it's unclear which direction this works (is East > >> positive or negative?), and I will need to change this number twice > >> yearly. In other words, it shouldn't be a number, it should be a name, > >> like the names used in Linux: Europe/Amsterdam. > > > > I think this will be fairly difficult to fix. Roundup doesn't have > > a timezone database; it just applies the delta to the UTC time. We are > > merely using roundup, instead of developing it. > > Actually, there is some kind of symbolic time zone support via the > pytz module. If the pytz module is installed, you can provide the time > zone as a symbolic name. I don't know if it follows the DST changes. > > I would suggest that someone enter a feature request in the meta > tracker, http://psf.upfronthosting.co.za/roundup/meta/, and we can > take a look. I entered a bug to see if they'll fix it: http://psf.upfronthosting.co.za/roundup/meta/msg712 Proper timzeone support via pytz has been in roundup since the october 2006 1.2.0 release according to the changelog. -greg ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] new bug tracker broken?
Neal> Note, I'm not sure if you have an account, you might need to Neal> register. But try your SF id first. Skip ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Avoiding cascading test failures
On 8/25/07, Gregory P. Smith <[EMAIL PROTECTED]> wrote:
> I like this idea.
Yay! Now, I ain't the only one. ;)
> Be sure to have an option to ignore dependancies and run all tests.
Yes, I planned to add a such option.
> Also when skipping tests because a depedancy failed have unittest
> print out an indication that a test was skipped due to a dependancy
> rather than silently running fewer tests. Otherwise it could be
> deceptive and appear that only one test was affected.
However, that was never planned.
I added the ignore_dependencies option. Also, I fixed the sub-optimal
dependency resolution algorithm that was in my original example
implementation.
-- Alexandre
--- dep.py.old 2007-08-25 19:54:27.0 -0400
+++ dep.py 2007-08-25 20:02:55.0 -0400
@@ -2,8 +2,9 @@
class CycleError(Exception):
pass
+class TestGraph:
-class TestCase:
+ignore_dependencies = False
def __init__(self):
self.graph = {}
@@ -19,16 +20,16 @@
graph = self.graph
toskip = set()
msgs = []
-while graph:
+if self.ignore_dependencies:
+for test in graph:
+graph[test].clear()
# find tests without any pending dependencies
-source = [test for test, deps in graph.items() if not deps]
-if not source:
-raise CycleError
-for testname in source:
+queue = [test for test, deps in graph.items() if not deps]
+while queue:
+testname = queue.pop()
if testname in toskip:
msgs.append("%s... skipped" % testname)
-resolvedeps(graph, testname)
-del graph[testname]
+queue.extend(resolve(graph, testname))
continue
test = getattr(self, testname)
try:
@@ -42,8 +43,9 @@
else:
msgs.append("%s... ok" % testname)
finally:
-resolvedeps(graph, testname)
-del graph[testname]
+queue.extend(resolve(graph, testname))
+if graph:
+raise CycleError
for msg in sorted(msgs):
print(msg)
@@ -60,10 +62,15 @@
rdeps.update(getrevdeps(graph, x))
return rdeps
- def resolvedeps(graph, testname):
+def resolve(graph, testname):
+toqueue = []
for test in graph:
if testname in graph[test]:
graph[test].remove(testname)
+if not graph[test]:
+toqueue.append(test)
+del graph[testname]
+return toqueue
def depends(*args):
def decorator(test):
@@ -75,7 +82,9 @@
return decorator
-class MyTest(TestCase):
+class MyTest(TestGraph):
+
+ignore_dependencies = True
@depends('test_foo')
def test_nah(self):
class CycleError(Exception):
pass
class TestGraph:
ignore_dependencies = False
def __init__(self):
self.graph = {}
tests = [x for x in dir(self) if x.startswith('test')]
for testname in tests:
test = getattr(self, testname)
if hasattr(test, 'deps'):
self.graph[testname] = test.deps
else:
self.graph[testname] = set()
def run(self):
graph = self.graph
toskip = set()
msgs = []
if self.ignore_dependencies:
for test in graph:
graph[test].clear()
# find tests without any pending dependencies
queue = [test for test, deps in graph.items() if not deps]
while queue:
testname = queue.pop()
if testname in toskip:
msgs.append("%s... skipped" % testname)
queue.extend(resolve(graph, testname))
continue
test = getattr(self, testname)
try:
test()
except AssertionError:
toskip.update(getrevdeps(graph, testname))
msgs.append("%s... failed" % testname)
except:
toskip.update(getrevdeps(graph, testname))
msgs.append("%s... error" % testname)
else:
msgs.append("%s... ok" % testname)
finally:
queue.extend(resolve(graph, testname))
if graph:
raise CycleError
for msg in sorted(msgs):
print(msg)
def getrevdeps(graph, testname):
"""Return the reverse depencencies of a test"""
rdeps = set()
for x in graph:
if testname in graph[x]:
rdeps.add(x)
if rdeps:
# propagate depencencies recursively
for x in rdeps.copy():
rdeps.update(getrevdeps(graph, x))
return rdeps
def resolve(graph, testname):
toqueue = []
for test in graph:
if testname in graph[test]:
graph[test].remove(testname)
if not graph[test]:
toqu
[Python-Dev] issue 1024 contains documentation patch for SSL work
I've created the documentation patch for the new SSL module. It's attached to issue 1024. Bill ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Other SSL issues in the tracker have been marked
I've gone through the other open SSL issues. Looks like some can be closed with the adoption of 1018 and 1024: 1027394 4 months agosocket.ssl should explain that it is a 2/3 connection 889813 4 months agomaking the version of SSL configurable when creating sockets 1583946 9 months agoSSL "issuer" and "server" names cannot be parsed 783188 46 months ago support for server side transactions in _ssl Others are about various standard libraries that interact with SSL in various ways. I'm working on another patch that converts all the standard library modules over to use the new ssl module, and I'll look at the rest of the SSL-related bugs as part of that work. Bill ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Other SSL issues in the tracker have been marked
Bill, Could you also look into this problem: Traceback (most recent call last): File "/home/pybot/buildarea/trunk.klose-debian-ia64/build/Lib/threading.py", line 486, in __bootstrap_inner self.run() File "/home/pybot/buildarea/trunk.klose-debian-ia64/build/Lib/test/test_ssl.py", line 144, in run cert_reqs=self.server.certreqs) File "/home/pybot/buildarea/trunk.klose-debian-ia64/build/Lib/ssl.py", line 98, in __init__ cert_reqs, ssl_version, ca_certs) sslerror: _ssl.c:271: SSL_CTX_use_PrivateKey_file error This occurs on at least 3 of the buildbots (ubuntu and debian on ia64, ppc, and hppa). Here's one example: http://python.org/dev/buildbot/all/ia64%20Ubuntu%20trunk%20trunk/builds/832/step-test/0 This also looks like it's not working on windows, but there is no info from here: http://python.org/dev/buildbot/all/x86%20XP-3%20trunk/builds/164/step-test/0 Other than: test_ssl The system cannot find the path specified. Which happens after it hangs for 1200 seconds. Thanks, n -- On 8/25/07, Bill Janssen <[EMAIL PROTECTED]> wrote: > I've gone through the other open SSL issues. Looks like some can be > closed with the adoption of 1018 and 1024: > > 1027394 4 months agosocket.ssl should explain that it is a 2/3 connection > 889813 4 months agomaking the version of SSL configurable when creating > sockets > 1583946 9 months agoSSL "issuer" and "server" names cannot be parsed > 783188 46 months ago support for server side transactions in _ssl > > Others are about various standard libraries that interact with SSL > in various ways. I'm working on another patch that converts all the > standard library modules over to use the new ssl module, and I'll look > at the rest of the SSL-related bugs as part of that work. > > Bill > ___ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/nnorwitz%40gmail.com > ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
