Re: Potential symlink attack in python3 __pycache__

[Jakub Wilk <jwilk () jwilk net>]

* Santiago Torres <torresariass () gmail com>, 2021-07-26, 12:21:
> On Mon, Jul 26, 2021 at 06:59:30PM +0300, Georgi Guninski wrote:
> > python3 shell is still vulnerable from modules in the current 
> > directory, but some of them like |sys| and |os| can't be spoofed.
>
> Is this a consequence of sys/os being special exceptions, or the fact 
> that they are (if my memory doesn't fail me) a bunch of bindings to C 
> so's?

The "sys" module is compiled into the Python interpreter itself. 
Importing it never involves traversing sys.path.

The "os" module is another story. This module is imported during the 
interpreter initialization, apparently before cwd is added to sys.path, 
so subsequent "import os" is no-op. But if you tried reloading it, the 
code from cwd would be executed:

  $ echo 'print("moo")' > os.py
  $ python3 -c 'import os; print(os)'
  <module 'os' from '/usr/lib/python3.9/os.py'>
  $ python3 -c 'import os, importlib; importlib.reload(os)'
  moo

--
Jakub Wilk