New submission from Christian Heimes <li...@cheimes.de>:
The subinterpreters module does not emit any audit events yet. It's possible to
create a subinterpreter and run arbitrary code through run_string().
We should also improve documentation of sys.addaudithook() and explain what
'current interpreter' actually means. I guess most users don't realize the
consequences for subinterpreters.
$ ./python auditsub.py
('os.system', (b'echo main interpreter',))
main interpreter
you got pwned
[heimes@seneca cpython]$ cat au
auditsub.py autom4te.cache/
[heimes@seneca cpython]$ cat auditsub.py
import sys
import _xxsubinterpreters
def hook(*args):
print(args)
sys.addaudithook(hook)
import os
os.system('echo main interpreter')
sub = _xxsubinterpreters.create()
_xxsubinterpreters.run_string(sub, "import os; os.system('echo you got
pwned')", None)
$ ./python auditsub.py
('os.system', (b'echo main interpreter',))
main interpreter
you got pwned
----------
components: Interpreter Core, Subinterpreters
messages: 388489
nosy: christian.heimes, eric.snow, steve.dower
priority: normal
severity: normal
status: open
title: [security][subinterpreters] Add auditing hooks to subinterpreter module
type: security
versions: Python 3.10
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43472>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
