[issue43472] [security][subinterpreters] Add auditing hooks to subinterpreter module
Christian Heimes
report at bugs.python.org
Thu Mar 11 04:31:02 EST 2021
New submission from Christian Heimes <lists at cheimes.de>:
The subinterpreters module does not emit any audit events yet. It's possible to create a subinterpreter and run arbitrary code through run_string().
We should also improve documentation of sys.addaudithook() and explain what 'current interpreter' actually means. I guess most users don't realize the consequences for subinterpreters.
$ ./python auditsub.py
('os.system', (b'echo main interpreter',))
main interpreter
you got pwned
[heimes at seneca cpython]$ cat au
auditsub.py autom4te.cache/
[heimes at seneca cpython]$ cat auditsub.py
import sys
import _xxsubinterpreters
def hook(*args):
print(args)
sys.addaudithook(hook)
import os
os.system('echo main interpreter')
sub = _xxsubinterpreters.create()
_xxsubinterpreters.run_string(sub, "import os; os.system('echo you got pwned')", None)
$ ./python auditsub.py
('os.system', (b'echo main interpreter',))
main interpreter
you got pwned
----------
components: Interpreter Core, Subinterpreters
messages: 388489
nosy: christian.heimes, eric.snow, steve.dower
priority: normal
severity: normal
status: open
title: [security][subinterpreters] Add auditing hooks to subinterpreter module
type: security
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43472>
_______________________________________
More information about the Python-bugs-list
mailing list