Message 173000 - Python tracker

Message173000

Author	jdemeyer
Recipients	Alan.Williams, Arfrever, benjamin.peterson, christian.heimes, eric.araujo, eric.snow, georg.brandl, hasufell, hynek, iankko, jdemeyer, ncoghlan, robertwb, schmir, tarek, vbraun, vstinner
Date	2012-10-15.20:24:59
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1350332699.19.0.739265778461.issue16202@psf.upfronthosting.co.za>
In-reply-to

Content
I should point out that there is also dangerous code in Lib/test/test_subprocess.py in the test_cwd() function. There, the following is executed from /tmp: python -c 'import sys,os; sys.stdout.write(os.getcwd())' As Python luckily knows where to import sys and os from, this doesn't seem exploitable, but it should be fixed.

Content

I should point out that there is also dangerous code in Lib/test/test_subprocess.py in the test_cwd() function.  There, the following is executed from /tmp:

  python -c 'import sys,os; sys.stdout.write(os.getcwd())'

As Python luckily knows where to import sys and os from, this doesn't seem exploitable, but it should be fixed.

History
Date	User	Action	Args
2012-10-15 20:24:59	jdemeyer	set	recipients: + jdemeyer, georg.brandl, ncoghlan, vstinner, christian.heimes, schmir, robertwb, benjamin.peterson, tarek, eric.araujo, Arfrever, iankko, eric.snow, hynek, Alan.Williams, vbraun, hasufell
2012-10-15 20:24:59	jdemeyer	set	messageid: <1350332699.19.0.739265778461.issue16202@psf.upfronthosting.co.za>
2012-10-15 20:24:59	jdemeyer	link	issue16202 messages
2012-10-15 20:24:59	jdemeyer	create