Editing text with an external editor in Python

Cameron Simpson cs at zip.com.au
Mon Sep 1 18:14:14 EDT 2014 

On 02Sep2014 04:02, Steven D'Aprano <steve+comp.lang.python at pearwood.info> wrote:
>Roy Smith wrote:
>> Hmmm.  Didn't we just have a thread about passing external data to
>> shells?
>>
>> $ mkdir '/tmp/;rm -rf;'
>> $ TMPDIR='/tmp/;rm -rf;' python
>> Python 2.7.3 (default, Sep 26 2013, 20:03:06)
>> [GCC 4.6.3] on linux2
>> Type "help", "copyright", "credits" or "license" for more information.
>>>>> import tempfile
>>>>> f = tempfile.NamedTemporaryFile()
>>>>> f.name
>> '/tmp/;rm -rf;/tmpW8HFTr'
>
>Seems like a lot of trouble to go to to erase your own system. Couldn't you
>just run rm -rf / on your own system prior to launching Python?
>
>But seriously, I'm not sure what attack vector you think you have found.
>By definition, this is calling out to an external application, which might
>do *anything*. It needs to be used in a trusted environment, like any other
>tool which calls out to external applications.
[...]
>I'm not really seeing how this is a security vulnerability. If somebody can
>break into my system and set a hostile GIT_EDITOR, or TMPDIR, environment
>variables, I've already lost.
[...]
>Have I missed something? I really don't think this is a vulnerability, and I
>don't see how using the subprocess module would make it safer.

It is not just about being hacked.

It is about being robust in the face of unusual setups.

If I were producing this function for general use (even my own personal general 
use) it would need to be reliable. That includes things like $TMPDIR having 
spaces in it (or other unfortunate punctuation).

On any system where people use GUIs to manipulate files and folders, having 
spaces and arbitrary punctuation in pathnames is common. Pointing $TMPDIR at 
such a place for a special purpose is not unreasonable.

People keep assuming injection is all about malice and being hacked. It is not.  
It is also about robustness and reliability, and possible silent 
failure/misfunction.

Cheers,
Cameron Simpson <cs at zip.com.au>

Steph at ensoniq.com says...
| Motorcycle maintenence is an art, isn't it?
By the time you've finished, it's a black art.
         - Dave Parry <d.parry at ic.ac.uk>

More information about the Python-list mailing list