| Summary: | dev-lang/python[readline]: interactive interprerter loads readline.py from $PWD even when $PWD is insecure | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | normal | CC: | paul, python, yac |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugs.python.org/issue12238 | ||
| Whiteboard: | A? [upstream] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Matthew Thode ( prometheanfire )
2013-04-22 21:29:03 UTC
python3.2 owned as well (forgot that print was a function in python3). /tmp $ strace -eopen -o woof python3.2 ; grep -v open\(\"/ woof Python 3.2.3 (default, Mar 22 2013, 09:56:53) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. OWNED: by /tmp/readline.py >>> open("readline.cpython-32.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readlinemodule.cpython-32.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readline.abi3.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readlinemodule.abi3.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readline.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readlinemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readline.py", O_RDONLY) = 4 open("__pycache__/readline.cpython-32.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) open("__pycache__/readline.cpython-32.pyc", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0100644) = 5 +++ exited with 0 +++ /tmp $ strace -eopen -o woof python2.7 ; grep -v open\(\"/ woof Python 2.7.3 (default, Mar 22 2013, 09:48:51) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. OWNED: by /tmp/readline.py >>> open("readline.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readlinemodule.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("readline.py", O_RDONLY) = 4 open("readline.pyc", O_RDONLY) = -1 ENOENT (No such file or directory) open("readline.pyc", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0100644) = 5 +++ exited with 0 +++ looks like all versions of python do this. my guess is it was by design akin to gdb loading $PWD/.gdbinit. This seems like a bad idea even if it is by design. This definitely doesn't seem like something we should "fix" at a distro level. Convince upstream it is a problem and we can talk. Also note that this is not limited to interactive usage; if you invoke a python script which imports readline, the same thing will happen. ok, not limited to readline $ python -c 'import sys; print sys.path' ['', '/usr/lib64/python27.zip', '/usr/lib64/python2.7', '/usr/lib64/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', '/usr/lib64/python2.7/lib-old', '/usr/lib64/python2.7/lib-dynload', '/usr/lib64/python2.7/site-packages', '/usr/lib64/python2.7/site-packages/PIL', '/usr/lib64/python2.7/site-packages/gst-0.10', '/usr/lib64/python2.7/site-packages/gtk-2.0', '/usr/lib64/python2.7/site-packages/wx-2.8-gtk2-unicode'] Found an upstream bug; it seems that they would like to fix it if possible, but are not quite sure how to do so. http://bugs.python.org/issue12238 (In reply to comment #6) > ok, not limited to readline > > $ python -c 'import sys; print sys.path' > ['', '/usr/lib64/python27.zip', '/usr/lib64/python2.7', > '/usr/lib64/python2.7/plat-linux2', '/usr/lib64/python2.7/lib-tk', > '/usr/lib64/python2.7/lib-old', '/usr/lib64/python2.7/lib-dynload', > '/usr/lib64/python2.7/site-packages', > '/usr/lib64/python2.7/site-packages/PIL', > '/usr/lib64/python2.7/site-packages/gst-0.10', > '/usr/lib64/python2.7/site-packages/gtk-2.0', > '/usr/lib64/python2.7/site-packages/wx-2.8-gtk2-unicode'] I have not been able to reproduce it with anything other then readline, tried sys and os, feel free to try others (tested in python 2.7). Upstream thinks this happens because readline is loaded much later in the startup process than sys or os. http://bugs.python.org/issue12238#msg137824 (In reply to comment #8) $ strace -e open python -c 'import foo' |& grep '("foo.so"' open("foo.so", O_RDONLY) = -1 ENOENT (No such file or directory) AFAIK this is standard behavior for import modules. PEP 328 may be relevant to this issue. From $URL Christian Heimes said: "Steve took care of the readline import for isolated mode in #28192. We can't change the default behavior. If you want to prevent Python from important files from either cwd, user packages or env vars, you have to use isolated mode. System scripts should use the isolated mode flag, too." Reverting the summary to its original value, which is specifically related to readline being loaded implicitly. Explicitly importing modules loads them from the working directory by default, and this is by-design. When using >=Python-3.6.0 (https://github.com/python/cpython/commit/313523ce2dd67db67b7dcbcc5f6d6ca95922b34b), user and system scripts should use isolated mode to prevent Python from importing files from either cwd, user packages or env vars. The behavior for previous versions won't change. Therefore I am closing this issue as WON'T FIX. |