[Python-Dev] PEP 493: HTTPS verification migration tools for Python 2.7

[Nick Coghlan]

On 25 February 2016 at 07:14, M.-A. Lemburg <mal at egenix.com> wrote:
> On 24.02.2016 21:39, Cory Benfield wrote:
>>
>>> On 24 Feb 2016, at 12:19, M.-A. Lemburg <mal at egenix.com> wrote:
>>>
>>> On 24.02.2016 12:28, Cory Benfield wrote:
>>>> I’m not entirely sure this is accurate. Specifically, an attacker that is able to set environment variables but nothing else (no filesystem access) would be able to disable hostname validation. To my knowledge this is the only environment variable that could be set that would do that.
>>>
>>> An attacker with access to the OS environment of a process would
>>> be able to do lots of things. I think disabling certificate checks
>>> is not one of the highest ranked attack vectors you'd use, given
>>> such capabilities :-)
>>>
>>> Think of LD_PRELOAD attacks, LD_LIBRARY_PATH manipulations, shell PATH
>>> manipulations (think spawned processes), compiler flag manipulations
>>> (think "pip install sourcepkg"), OpenSSL reconfiguration, etc.
>>
>> To be clear, I’m not suggesting that this represents a reason not to do any of this, just that we should not suggest that there is no risk here: there is, and it is a new attack vector.
>
> Fair enough :-)

I tweaked the explanation of that security caveat:
https://hg.python.org/peps/rev/a24451715d84 (and then tweaked the
tweak to replace "the main" with "a key").

I didn't mention the prospect of reading sensitive data from the
environment, as the specific problem we're introducing is with write
access, and I believe certainly flavours of vulnerability can give the
ability to do blind writes to the environment without necessarily
gaining the ability to dump arbitrary details about that environment.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia