Issue 25288: readline.py file in current directory caused unexpected code execution. (original) (raw)

Created on 2015-10-01 09:26 by Hiroki Kiyohara, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (6)
msg252012 - (view) Author: Hiroki Kiyohara (Hiroki Kiyohara) Date: 2015-10-01 09:26
Running `python` interpreter will import `readline.py` file in current directory. It causes unexpected code execution. This problem is reported by 'Japan Vulnerability Notes' as a bug on Windows version Python http://jvn.jp/jp/JVN49503705/ It says that when we run Windows version python will import `readline.pyd` file in current directory. And it may run unexpected codes with permission assigned to python.exe. The line causing this problem may be... https://github.com/python/cpython/blob/2.7/Lib/code.py#L303 Should it be considered as vulnerability of python (or Windows version python)?
msg252015 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2015-10-01 10:19
I can reproduce this action on Ubuntu. The forged readline.py in python's execution directory can steal the permission of python and do something dangerous.
msg252027 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-10-01 13:55
This is not a bug, this is the way python works. When running in interactive mode (only) the current directory is first on the path. Now, should this behavior be changed? I think we've discussed this before and decided not to change it (for backward compatibility reasons), but I think there was dissent and that increasing emphasis on security since that discussion might argue for a different outcome. It's a python-dev mailing list level issue, in any case.
msg252028 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-10-01 14:03
Well, so much for my memory :(. The actual discussion was in issue 12238, where *my* conclusion was that this should be fixed (readline should be special cased), but the issue is still open. Patches welcome :)
msg252077 - (view) Author: Hiroki Kiyohara (Hiroki Kiyohara) Date: 2015-10-02 01:04
I see. Thank you very much, guys.
msg252180 - (view) Author: Akira Li (akira) * Date: 2015-10-02 23:25
python3 -I could be used as a workaround.
History
Date User Action Args
2022-04-11 14:58:22 admin set github: 69475
2015-10-02 23:25:41 akira set nosy: + akiramessages: +
2015-10-02 01:04:04 Hiroki Kiyohara set messages: +
2015-10-01 14:03:10 r.david.murray set status: open -> closedsuperseder: Readline module loading in interactive modemessages: + resolution: duplicatestage: resolved
2015-10-01 13:55:34 r.david.murray set nosy: + r.david.murraymessages: +
2015-10-01 10:19:20 xiang.zhang set nosy: + xiang.zhangmessages: +
2015-10-01 09:26:41 Hiroki Kiyohara create