New submission from Daniel Thomas:
In Python 3.4 (but not 3.2 or 2.7) when a system module does an import then
files with the same name in the directory of the original python script which
match that name are used.
E.g.
With a directory containing:
test.py:
#!/usr/bin/env python3
from collections import OrderedDict
print('do stuff')
operator.py:
#!/usr/bin/env python3
print('EXPLOIT!')
Running test.py will cause:
EXPLOIT!
Traceback (most recent call last):
File "./test.py", line 4, in <module>
from collections import OrderedDict
File "/usr/lib/python3.4/collections/__init__.py", line 11, in <module>
from operator import itemgetter as _itemgetter, eq as _eq
ImportError: cannot import name 'itemgetter'
While test.py is perfectly innocent it is in the same directory as the nasty
operator.py and test.py makes no reference at all to operator.py but when
'collections' is imported it imports from operator which is resolved to
operator.py in the local directory
This is a security vulnerability because it is possible to verify that a python
script is safe to run by reading its code and then on running it find that
other code is implicitly loaded by the system libraries which is never
referenced in the original file or part of any of the standard libraries.
It is also rather confusing but a related issue is already filed for that in
issue21202.
This is similar to the standard name shadowing trap
http://python-notes.curiousefficiency.org/en/latest/python_concepts/import_traps.html#the-name-shadowing-trap
but now applies to other files in the source directory in a way which it
didn't in previous versions of python. I suspect this was introduced in python
3.3 through changes to the import system and __init__.py becoming optional but
I don't have a 3.3 install to check that with.
sys.path here is: ['/auto/homes/drt24/pythontest', '/usr/lib/python3.4',
'/usr/lib/python3.4/plat-x86_64-linux-gnu', '/usr/lib/python3.4/lib-dynload',
'/usr/local/lib/python3.4/dist-packages', '/usr/lib/python3/dist-packages']
Running Python 3.4.0-0ubuntu2 on Ubuntu 14.04.1 LTS with Linux 3.13.0-32-generic
----------
components: Interpreter Core
messages: 225065
nosy: drt24
priority: normal
severity: normal
status: open
title: Local files shadow system modules, even from system modules
type: security
versions: Python 3.4
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue22172>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
