Date: Thu, 5 Jun 2008 10:10:55 +0200 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Cc: Ned Ludd <solar@...too.org> Subject: Re: Python Unsafe Module Loading On Wednesday 04 June 2008, Ned Ludd wrote: > So for nearly every python based program you can simply dump *.so > *.py *.pyc files just about anywhere on the file system where an > admin might invoke python. As I also pointed out in our bug , this only happens in two cases: (1) The interactive shell is used to run python code. (2) A python script resides inside an untrusted directory. What I expect to be the most common use case, running python code from /usr, or /home, is safe. Since all out-of-the-box software would be installed in directories that are not world-writable, I am tempted call (2) an error on the user side. Changing the behaviour of python in this manner would also break existing programs. Robert  https://bugs.gentoo.org/show_bug.cgi?id=224925 Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.