[Python-Dev] PEP 493: HTTPS verification migration tools for Python 2.7 (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Thu Feb 25 03:36:10 EST 2016

On 25 February 2016 at 07:14, M.-A. Lemburg <mal at egenix.com> wrote:

On 24.02.2016 21:39, Cory Benfield wrote:

On 24 Feb 2016, at 12:19, M.-A. Lemburg <mal at egenix.com> wrote:

On 24.02.2016 12:28, Cory Benfield wrote: I’m not entirely sure this is accurate. Specifically, an attacker that is able to set environment variables but nothing else (no filesystem access) would be able to disable hostname validation. To my knowledge this is the only environment variable that could be set that would do that. An attacker with access to the OS environment of a process would be able to do lots of things. I think disabling certificate checks is not one of the highest ranked attack vectors you'd use, given such capabilities :-) Think of LDPRELOAD attacks, LDLIBRARYPATH manipulations, shell PATH manipulations (think spawned processes), compiler flag manipulations (think "pip install sourcepkg"), OpenSSL reconfiguration, etc. To be clear, I’m not suggesting that this represents a reason not to do any of this, just that we should not suggest that there is no risk here: there is, and it is a new attack vector. Fair enough :-)

I tweaked the explanation of that security caveat: https://hg.python.org/peps/rev/a24451715d84 (and then tweaked the tweak to replace "the main" with "a key").

I didn't mention the prospect of reading sensitive data from the environment, as the specific problem we're introducing is with write access, and I believe certainly flavours of vulnerability can give the ability to do blind writes to the environment without necessarily gaining the ability to dump arbitrary details about that environment.

Cheers, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

More information about the Python-Dev mailing list