Message 229788 - Python tracker

Message229788

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	aidanhs
Recipients	aidanhs
Date	2014-10-21.21:03:43
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1413925424.96.0.804566099113.issue22689@psf.upfronthosting.co.za>
In-reply-to

Content
Posix says the following on the subject of getenv: > The returned string pointer might be invalidated or the string content might be overwritten by a subsequent call to getenv() (http://pubs.opengroup.org/onlinepubs/9699919799/functions/getenv.html) Unfortunately, in Modules/getpath.c: static void calculate_path(void) { [...] char _rtpypath = Py_GETENV("PYTHONPATH"); / XXX use wide version on Windows / wchar_t rtpypath = NULL; wchar_t home = Py_GetPythonHome(); char _path = getenv("PATH"); So 3 potential getenv calls in quick succession, meaning _rtpypath and home can become junk before they get used and Python crashes before it can start up (it becomes unable to find the site module). Unfortunately it looks like the assumption that getenv pointers will remain safe forever is used in a few places in python. Explicit notes on the correct use of getenv: https://www.securecoding.cert.org/confluence/display/seccode/ENV34-C.+Do+not+store+pointers+returned+by+certain+functions Someone's apparently seen this before (but didn't report it?) - http://sourceforge.net/p/edk2/mailman/edk2-devel/thread/66BD57653246D24E9698B0A6509545A86DDB863C@ORSMSX109.amr.corp.intel.com/

Content

Posix says the following on the subject of getenv:

> The returned string pointer might be invalidated or the string content might be overwritten by a subsequent call to getenv()

(http://pubs.opengroup.org/onlinepubs/9699919799/functions/getenv.html)

Unfortunately, in Modules/getpath.c:

static void
calculate_path(void)
{
[...]
    char *_rtpypath = Py_GETENV("PYTHONPATH"); /* XXX use wide version on Windows */
    wchar_t *rtpypath = NULL;
    wchar_t *home = Py_GetPythonHome();
    char *_path = getenv("PATH");

So 3 potential getenv calls in quick succession, meaning _rtpypath and home can become junk before they get used and Python crashes before it can start up (it becomes unable to find the site module).

Unfortunately it looks like the assumption that getenv pointers will remain safe forever is used in a few places in python.

Explicit notes on the correct use of getenv: https://www.securecoding.cert.org/confluence/display/seccode/ENV34-C.+Do+not+store+pointers+returned+by+certain+functions

Someone's apparently seen this before (but didn't report it?) - http://sourceforge.net/p/edk2/mailman/edk2-devel/thread/66BD57653246D24E9698B0A6509545A86DDB863C@ORSMSX109.amr.corp.intel.com/

History
Date	User	Action	Args
2014-10-21 21:03:45	aidanhs	set	recipients: + aidanhs
2014-10-21 21:03:44	aidanhs	set	messageid: <1413925424.96.0.804566099113.issue22689@psf.upfronthosting.co.za>
2014-10-21 21:03:44	aidanhs	link	issue22689 messages
2014-10-21 21:03:43	aidanhs	create