[Bf-committers] [Patch]Solving security issues CVE-2008-1103 (partialy) and CVE-2008-4083
Martin Poirier
theeth at yahoo.com
Wed Jan 20 21:02:48 CET 2010
To be perfectly secure, we would need to remove all path that evaluates to current working directory.
That includes ".", "./" and many others.
Basically:
import os
sys.path = list(filter(lambda x: os.path.samefile(x, "."), sys.path))
On the other hand, that's nasty if the user added the current dir to his path (or even worse, if he's running from inside a valid path directory).
IMHO, that's a rather stupid "security" issue. If someone has permissions to write a file in my current directory, he could just write the same file in an installation folder (.blender/scripts/io for example) or in the user defined script folder (if defined) and there's NOTHING (baring insane signing methods) that could be done to prevent that from running.
Solution: Don't give people write access to your folders.
Martin
--- On Wed, 1/20/10, Campbell Barton <ideasman42 at gmail.com> wrote:
> From: Campbell Barton <ideasman42 at gmail.com>
> Subject: Re: [Bf-committers] [Patch]Solving security issues CVE-2008-1103 (partialy) and CVE-2008-4083
> To: "bf-blender developers" <bf-committers at blender.org>
> Received: Wednesday, January 20, 2010, 2:39 PM
> Committed this...
> sys.path[:] = filter(None, sys.path)
>
> Note that this filters out anything that is evaluated as
> False. in
> this case an empty string acts like ".", come to think of
> it, shouldnt
> "." get filtered out also?
>
> On Wed, Jan 20, 2010 at 8:27 PM, Jochen Schmitt <Jochen at herr-schmitt.de>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Am 20.01.2010 20:11, schrieb Campbell Barton:
> >
> >>>>> filter(None, sys.path)
> >> <filter object at 0x4ca4eb0>
> >>
> >> Can write this differently in the bpy __init__.py
> file
> >
> > OK, regarding of
> >
> > http://diveintopython3.org/porting-code-to-python-3-with-2to3.html#filter
> >
> > it should be:
> >
> > PyRun_SimpleString("import sys; sys.path = [for i in
> sys.path if i]");
> >
> > A modified version of the patch is attached on this
> mail.
> >
> > Best Regards:
> >
> > Jochen Schmitt
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> >
> >
> iJwEAQECAAYFAktXWTIACgkQZLAIBz9lVu/3dAP/R6y8Kkm91Odhc3FmoIY7IZKC
> >
> WC7P+Fh5zJQxkkm3cas4XwZXM4Ov9ChXibiRf7/TaYi4/+WFIGuQedOFVkW84Eur
> >
> OTLGERtKPhu111SbQ/8EkGZW5oxetENul7+AdA8d++cv73NjiwlivMQcM7V+zduZ
> > YoOl9whJTVblXifUd1c=
> > =2+f1
> > -----END PGP SIGNATURE-----
> >
> >
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > http://lists.blender.org/mailman/listinfo/bf-committers
> >
> >
>
>
>
> --
> - Campbell
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>
__________________________________________________________________
Make your browsing faster, safer, and easier with the new Internet Explorer® 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
More information about the Bf-committers
mailing list