From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail From: "Philip K." Newsgroups: gmane.emacs.bugs Subject: bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local variable Date: Tue, 16 Jun 2020 18:52:07 +0200 Message-ID: <87a713q7go.fsf@warpmail.net> References: <87367htbaq.fsf@warpmail.net> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202"; logging-data="44491"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 41619@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Jun 16 18:53:28 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jlEpz-000BQU-UO for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 16 Jun 2020 18:53:28 +0200 Original-Received: from localhost ([::1]:33868 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jlEpy-0005Yk-Vn for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 16 Jun 2020 12:53:27 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:40206) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlEpa-0004tC-K2 for bug-gnu-emacs@gnu.org; Tue, 16 Jun 2020 12:53:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:37948) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jlEpa-0003yo-9T for bug-gnu-emacs@gnu.org; Tue, 16 Jun 2020 12:53:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jlEpa-0005rN-5r for bug-gnu-emacs@gnu.org; Tue, 16 Jun 2020 12:53:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: "Philip K." Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 16 Jun 2020 16:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41619 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 41619-submit@debbugs.gnu.org id=B41619.159232634322481 (code B ref 41619); Tue, 16 Jun 2020 16:53:02 +0000 Original-Received: (at 41619) by debbugs.gnu.org; 16 Jun 2020 16:52:23 +0000 Original-Received: from localhost ([127.0.0.1]:49494 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlEos-0005qR-T4 for submit@debbugs.gnu.org; Tue, 16 Jun 2020 12:52:23 -0400 Original-Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:48449) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jlEoq-0005qE-HB for 41619@debbugs.gnu.org; Tue, 16 Jun 2020 12:52:17 -0400 Original-Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 9D4E62FD; Tue, 16 Jun 2020 12:52:10 -0400 (EDT) Original-Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 16 Jun 2020 12:52:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=warpmail.net; h= from:to:cc:subject:in-reply-to:date:message-id:mime-version :content-type; s=fm3; bh=62fuNwJJ698CocEdsSGotC0X+srmEJo/sxfO+O4 5TyE=; b=eVF/LPs0PmoGGTObIjcZ0ogWjFXWsevg3PcCCoTG0zBukV7Y+a2b8IL rSbdpbmi7iGfe3j+0ISgrVABTMqOaJx6h4MM/A3XyeLhZVjdDCjpx0sqDNKgGid3 6kfR222SM1k61AH+9lyswLzDxRd8t3of1HxjVChtMTN+xzo1oJbQbwMXWuq0qQCS Ociw+j05Q63kMtWIGYUG20+uqJEeCXKkH/qV5Y2R1ykUMi0e5u159fgz5jOMMWcw uMRTbQRIYAQOtVEITfxXJXPaMled5U+Zu/Jx2KP0YSGf/aEebbqchLQPjHWOXq/p Np/bX5kSHH7Eb/S1nkFhrxbeGc19T+w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=62fuNwJJ698CocEds SGotC0X+srmEJo/sxfO+O45TyE=; b=BZTEEQ8MauUVmrCgY3JagslC0pU1MUw/n WoaZFpOMWQFqA+S8do44LBu4SYSJ03cwmcxqXCA0wV5AO6SzM7Oh8ilNRpnNutKh 4qdeEDezrvlclWt4uXwy7P/3Z1EwYzuO+NYB1qdS9k7vB+wXNe1xn0WmWz40+5nZ sf2Pp2PVl4nif+aGWixe9qxPkYW+bqqqXXsLwYeWgKcAy1Tq0cC3L3fP3D2sjh+t u71w9AE/8rFLhVZAoENaY3SASnwn0qCmkWYe05Aqk5GQyvTs7pg4MByWG0ojhJoS Vqlz0DLb7IChq4+AqCDfWxKRVhoAlS8FC0Dbazu4eFb7TE8oYtOPA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudejtddguddtkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvffujgffkfggtgesthdtredttddttdenucfhrhhomhepfdfrhhhilhhi phcumfdrfdcuoehphhhilhhiphesfigrrhhpmhgrihhlrdhnvghtqeenucggtffrrghtth gvrhhnpeehueeiffevveekteffueefkeefjeekkeekfeejleeufedtudffudfgueeigeff hfenucfkphepjeelrddvudelrdduleelrddvudehnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpseifrghrphhmrghilhdrnhgv th X-ME-Proxy: Original-Received: from localhost (p4fdbc7d7.dip0.t-ipconnect.de [79.219.199.215]) by mail.messagingengine.com (Postfix) with ESMTPA id BDA9D30618B7; Tue, 16 Jun 2020 12:52:09 -0400 (EDT) In-Reply-To: <83tuzc17pd.fsf@gnu.org> (message from Eli Zaretskii on Mon, 15 Jun 2020 21:53:50 +0300) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:182027 Archived-At: Eli Zaretskii writes: >> From: Glenn Morris >> Date: Sat, 13 Jun 2020 13:20:29 -0400 >> Cc: eliz@gnu.org, philip.kaludercic@fau.de >> >> >> I don't understand how python-shell-virtualenv-root can be considered a >> safe local variable. Surely it controls what "python" executable gets run. >> >> As a test, I did: >> >> python3 -m venv /tmp/foo >> >> I then replaced /tmp/foo/bin/python with a shell-script: >> >> #!/bin/bash >> echo oh-oh >> >> I then ran: >> emacs -Q --eval '(setq python-shell-virtualenv-root "/tmp/foo")' -f python-mode >> C-c C-p >> >> This gives an inferior Python buffer with contents: >> >> oh-oh >> >> Process Python finished >> >> In other words, this looks like a recipe for arbitrary code execution. > > Philip, could you please look into this? TIA. First of all, sorry for the delayed response. I look a look at how python.el uses python-shell-virtualenv-root and how virtualenv works in general, and I think that Glenn's analysis is corret. One would have to make sure that /tmp/foo/bin/python is an actual Python installation. Now on my system it seems like python/python3 is always a symbolic link to /usr/bin/python3 (if the virtual enviornment was created using python3), but checking is neither portable or totally solves the issue. with all odds agains you, you cannot I've also noticed that in other places, people automatically activate python environments, if for example in a shell, the path `./venv/bin/activate` is valid, but nowhere could I find any validation to ensure that arbitrary code isn't executed :( Ultimatly, my estimation was wrong, and the variable shouldn't be marked as safe, at least not with any heuristics that could warn the user if the path is suspicious. -- Philip K.