pythonloc icon indicating copy to clipboard operation
pythonloc copied to clipboard
verified publisher icon cs01

Untrusted arbitrary code execution?

Open seirl opened this issue 6 years ago • 1 comments

Is this expected?

antoine@elune /tmp/tmp.ucyPsHjPcy/untrusted_code % cat /usr/bin/grep.py 
#!/usr/bin/env python3

import os
print('Running grep.')

antoine@elune /tmp/tmp.ucyPsHjPcy/untrusted_code % cat os.py    
print('MALICIOUS')

antoine@elune /tmp/tmp.ucyPsHjPcy/untrusted_code % pythonloc /usr/bin/grep.py 
MALICIOUS
Fatal Python error: initsite: Failed to import the site module
Traceback (most recent call last):
[...]
AttributeError: module 'os' has no attribute 'path'

It doesn't seem reasonable at all to me that running a random script installed on my system with pythonloc would override its libraries with potentially arbitrary code in the directory I'm running the script from.

seirl avatar Aug 18 '19 09:08 seirl

The fix is just this:

diff --git a/pythonloc/pythonloc.py b/pythonloc/pythonloc.py             
index f5f77bf..913223f 100644
--- a/pythonloc/pythonloc.py
+++ b/pythonloc/pythonloc.py
@@ -27,7 +27,7 @@ def _get_pypackages_lib_path(script_path=None):
 def _get_env(script_path=None):
     env = dict(os.environ)
     env["PYTHONPATH"] = os.path.pathsep.join(
-        [".", _get_pypackages_lib_path(script_path)]
+        [_get_pypackages_lib_path(script_path)]
         + os.getenv("PYTHONPATH", "").split(os.path.pathsep)
     )
     return env

seirl avatar Aug 18 '19 09:08 seirl