New submission from STINNER Victor <vstin...@redhat.com>:
Currently, posixpath.defpath is equal to: defpath = ':/bin:/usr/bin' It gives 3 directories: >>> posixpath.defpath.split(posixpath.pathsep) ['', '/bin', '/usr/bin'] where the empty string means "the current directory". Trying to locate an executable from the current directory can be security issue when an attacker tries to execute arbitrary command. The Linux exec(3) manual page contains an interesting note about the removal of the empty string from glibc 2.24 by accident: http://man7.org/linux/man-pages/man3/execvp.3.html NOTES The default search path (used when the environment does not contain the variable PATH) shows some variation across systems. It generally includes /bin and /usr/bin (in that order) and may also include the current working directory. On some other systems, the current working is included after /bin and /usr/bin, as an anti-Trojan-horse measure. The glibc implementation long followed the traditional default where the current working directory is included at the start of the search path. However, some code refactoring during the development of glibc 2.24 caused the current working directory to be dropped altogether from the default search path. This accidental behavior change is considered mildly beneficial, and won't be reverted. (...) Context of this issue: This discussion started from my PR 11579 which modifies the subprocess module to use posix_spawnp(): https://github.com/python/cpython/pull/11579#pullrequestreview-193261299 So I propose to replace defpath = ':/bin:/usr/bin' with defpath = '/bin:/usr/bin' which gives 2 directories: >>> '/bin:/usr/bin'.split(posixpath.pathsep) ['/bin', '/usr/bin'] This change would only affect os.get_exec_path(), and so indirectly the subprocess module (when the executable contains no directory), *when the PATH environmant variable is not set*. ---------- components: Library (Lib) messages: 333801 nosy: christian.heimes, giampaolo.rodola, gregory.p.smith, vstinner priority: normal severity: normal status: open title: Remove current directory from posixpath.defpath to enhance security type: security versions: Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35755> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
