New submission from Anand B Pillai:
>> import platform
>>> print 'Actual =>',platform.uname()
Actual => ('Linux', 'toshiba-laptop', '3.13.0-24-generic', '#47-Ubuntu SMP Fri
May 2 23:30:00 UTC 2014', 'x86_64', 'x86_64')
>>> import hack_uname
# Someone imports my module unaware of the hack (see attached file)
>>> platform.uname()
('Limux', 'hacker-laptop', '11.15.0-28000-absurd', '#10000 - FunkyDistro SMMP
Fry Feb 30 2015 23:59:00 UTC 2015', 'x866_64', 'x866_64')
Fix - Make the global _uname_cache inaccessible via the module and hence
unwriteable. I can provide a patch - it is kind of easy fix.
I think this might also be a security issue since if someone is writing a
significant piece of code based on the platform it can screw up the system - or
his web application if a piece of code like this is introduced in a module via
his chain of imports by a malicious hacker.
----------
components: Library (Lib)
files: hack_uname.py
messages: 239005
nosy: pythonhacker
priority: normal
severity: normal
status: open
title: platform._uname_cache is writeable
type: behavior
versions: Python 2.7, Python 3.4, Python 3.5
Added file: http://bugs.python.org/file38652/hack_uname.py
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue23748>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
