From: "Philip K." <philip@warpmail.net>
To: Eli Zaretskii <eliz@gnu.org>
Cc: 41619@debbugs.gnu.org
Subject: bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable
Date: Tue, 16 Jun 2020 18:52:07 +0200 [thread overview]
Message-ID: <87a713q7go.fsf@warpmail.net> (raw)
In-Reply-To: <83tuzc17pd.fsf@gnu.org> (message from Eli Zaretskii on Mon, 15 Jun 2020 21:53:50 +0300)
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Glenn Morris <rgm@gnu.org>
>> Date: Sat, 13 Jun 2020 13:20:29 -0400
>> Cc: eliz@gnu.org, philip.kaludercic@fau.de
>>
>>
>> I don't understand how python-shell-virtualenv-root can be considered a
>> safe local variable. Surely it controls what "python" executable gets run.
>>
>> As a test, I did:
>>
>> python3 -m venv /tmp/foo
>>
>> I then replaced /tmp/foo/bin/python with a shell-script:
>>
>> #!/bin/bash
>> echo oh-oh
>>
>> I then ran:
>> emacs -Q --eval '(setq python-shell-virtualenv-root "/tmp/foo")' -f python-mode
>> C-c C-p
>>
>> This gives an inferior Python buffer with contents:
>>
>> oh-oh
>>
>> Process Python finished
>>
>> In other words, this looks like a recipe for arbitrary code execution.
>
> Philip, could you please look into this? TIA.
First of all, sorry for the delayed response. I look a look at how
python.el uses python-shell-virtualenv-root and how virtualenv works in
general, and I think that Glenn's analysis is corret. One would have to
make sure that /tmp/foo/bin/python is an actual Python installation. Now
on my system it seems like python/python3 is always a symbolic link to
/usr/bin/python3 (if the virtual enviornment was created using python3),
but checking is neither portable or totally solves the issue.
with all odds agains you, you cannot
I've also noticed that in other places, people automatically activate
python environments, if for example in a shell, the path
`./venv/bin/activate` is valid, but nowhere could I find any validation
to ensure that arbitrary code isn't executed :(
Ultimatly, my estimation was wrong, and the variable shouldn't be marked
as safe, at least not with any heuristics that could warn the user if
the path is suspicious.
--
Philip K.
next prev parent reply other threads:[~2020-06-16 16:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-30 20:31 bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable Philip K.
2020-06-13 7:42 ` Eli Zaretskii
2020-06-13 17:20 ` Glenn Morris
2020-06-15 18:53 ` Eli Zaretskii
2020-06-16 16:52 ` Philip K. [this message]
2020-06-16 17:18 ` Eli Zaretskii
2020-06-16 17:32 ` Philip K.
2020-06-16 17:54 ` Eli Zaretskii
2020-06-16 19:49 ` Philip K.
2020-06-20 8:47 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a713q7go.fsf@warpmail.net \
--to=philip@warpmail.net \
--cc=41619@debbugs.gnu.org \
--cc=eliz@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).