Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGUWgD9MsQts5_jV9=nr8X6mwZyW-NU2JzYnosdMqQ0G06nH6w@mail.gmail.com>
Date: Thu, 22 Jul 2021 11:52:05 +0300
From: Georgi Guninski <gguninski@...il.com>
To: oss-security@...ts.openwall.com
Subject: ipython3 may execute code from the current working directory

Summary: under certain circumstances, ipython3 may execute
code from the current working directory. This might be a
problem if the current working directory is not trusted.

python3 is safe.

Tested on ubuntu 20.

The following session illustrates it:

joro@...lokote:~/tests/dir2$ pwd
/home/joro/tests/dir2
joro@...lokote:~/tests/dir2$ ipython3 --version
7.13.0
joro@...lokote:~/tests/dir2$ ls ~/tests/dir1
a.py  joro-orig.py  __pycache__
joro@...lokote:~/tests/dir2$ ls ~/tests/dir2
joro.py  __pycache__
joro@...lokote:~/tests/dir2$ cat ~/tests/dir1/a.py
try:  import joro
except:  print("error in import")
joro@...lokote:~/tests/dir2$ cat ~/tests/dir2/joro.py
print("imported joro :)")
joro@...lokote:~/tests/dir2$ ipython3 ~/tests/dir1/a.py
imported joro :)
joro@...lokote:~/tests/dir2$

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.