oss-sec mailing list archives
Re: Potential symlink attack in python3 __pycache__
From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 26 Jul 2021 19:13:03 +0200
* Santiago Torres <torresariass () gmail com>, 2021-07-26, 12:21:
On Mon, Jul 26, 2021 at 06:59:30PM +0300, Georgi Guninski wrote:python3 shell is still vulnerable from modules in the current directory, but some of them like |sys| and |os| can't be spoofed.Is this a consequence of sys/os being special exceptions, or the fact that they are (if my memory doesn't fail me) a bunch of bindings to C so's?
The "sys" module is compiled into the Python interpreter itself. Importing it never involves traversing sys.path.
The "os" module is another story. This module is imported during the interpreter initialization, apparently before cwd is added to sys.path, so subsequent "import os" is no-op. But if you tried reloading it, the code from cwd would be executed:
$ echo 'print("moo")' > os.py $ python3 -c 'import os; print(os)' <module 'os' from '/usr/lib/python3.9/os.py'> $ python3 -c 'import os, importlib; importlib.reload(os)' moo -- Jakub Wilk
Current thread:
- Potential symlink attack in python3 __pycache__ Georgi Guninski (Jul 24)
- Re: Potential symlink attack in python3 __pycache__ Michael Orlitzky (Jul 24)
- Re: Potential symlink attack in python3 __pycache__ Georgi Guninski (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Santiago Torres (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Jakub Wilk (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Georgi Guninski (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Michael Orlitzky (Jul 24)