oss-sec mailing list archives
Re: ipython3 may execute code from the current working directory
From: Mats Wichmann <mats () wichmann us>
Date: Fri, 23 Jul 2021 14:39:33 -0600
On 7/22/21 5:35 AM, Jakub Wilk wrote:
* Georgi Guninski <gguninski () gmail com>, 2021-07-22, 11:52:Summary: under certain circumstances, ipython3 may execute code from the current working directory.Looks like this might be intentional? Or at least there's an option to turn off this behavior:https://github.com/ipython/ipython/blob/7.25.0/IPython/core/shellapp.py#L219
normally (cpython), an empty string in sys.path doesn't mean "current directory", it means "script directory", the directory the script you're running is found in [1]. that only falls back to current directory in case there is no script directory - which happens if you invoke the interpreter interactively . So maybe ipython isn't interpreting this the same way?
there have been more than one security concern about the way this makes it possible for untrusted modules to get loaded.
[1] https://docs.python.org/3/library/sys.html#sys.path
Current thread:
- ipython3 may execute code from the current working directory Georgi Guninski (Jul 22)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 22)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 22)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 23)
- Re: ipython3 may execute code from the current working directory Mats Wichmann (Jul 23)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 24)
- Re: ipython3 may execute code from the current working directory Georgi Guninski (Jul 25)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 22)