Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210726171303.sbqu537tv7dl3yyp@jwilk.net>
Date: Mon, 26 Jul 2021 19:13:03 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: <oss-security@...ts.openwall.com>
Subject: Re: Potential symlink attack in python3 __pycache__

* Santiago Torres <torresariass@...il.com>, 2021-07-26, 12:21:
>On Mon, Jul 26, 2021 at 06:59:30PM +0300, Georgi Guninski wrote:
>>python3 shell is still vulnerable from modules in the current 
>>directory, but some of them like |sys| and |os| can't be spoofed.
>
>Is this a consequence of sys/os being special exceptions, or the fact 
>that they are (if my memory doesn't fail me) a bunch of bindings to C 
>so's?

The "sys" module is compiled into the Python interpreter itself. 
Importing it never involves traversing sys.path.

The "os" module is another story. This module is imported during the 
interpreter initialization, apparently before cwd is added to sys.path, 
so subsequent "import os" is no-op. But if you tried reloading it, the 
code from cwd would be executed:

   $ echo 'print("moo")' > os.py
   $ python3 -c 'import os; print(os)'
   <module 'os' from '/usr/lib/python3.9/os.py'>
   $ python3 -c 'import os, importlib; importlib.reload(os)'
   moo

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.