##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r24880:8168be55
r28089:991849c2
Show More
__init__.py
42 lines | 1.6 KiB | text/x-python | PythonLexer
Fernando Perez
Create new core.magics package and start populating with history.
r6956 """Implementation of all the magic functions built into IPython.
"""
#-----------------------------------------------------------------------------
Fernando Perez
Create decorators for standalone magic functions, as per review.x
r6972 # Copyright (c) 2012 The IPython Development Team.
Fernando Perez
Create new core.magics package and start populating with history.
r6956 #
# Distributed under the terms of the Modified BSD License.
#
# The full license is in the file COPYING.txt, distributed with this software.
#-----------------------------------------------------------------------------
#-----------------------------------------------------------------------------
# Imports
#-----------------------------------------------------------------------------
Fernando Perez
Move UserMagics to core.magics
r6957
Fernando Perez
Renamed @register_magics to @magics_class to avoid confusion....
r6973 from ..magic import Magics, magics_class
Fernando Perez
Create core.magics.auto according to new API.
r6964 from .auto import AutoMagics
Matthias Bussonnier
Load the asycn ext only on 3.5+
r24467 from .basic import BasicMagics, AsyncMagics
Fernando Perez
Create core.magics.code according to new API.
r6960 from .code import CodeMagics, MacroToEdit
Fernando Perez
Create core.magics.config according to new API.
r6961 from .config import ConfigMagics
MinRK
add %%javascript, %%svg, and %%latex display magics...
r7946 from .display import DisplayMagics
Fernando Perez
Create core.magics.execution according to new API.
r6963 from .execution import ExecutionMagics
Fernando Perez
Create core.magics.extension according to new API.
r6967 from .extension import ExtensionMagics
Fernando Perez
Create core.magics.code according to new API.
r6960 from .history import HistoryMagics
Fernando Perez
Create core.magics.logging according to new API.
r6966 from .logging import LoggingMagics
Fernando Perez
Create core.magics.namespace according to new API.
r6962 from .namespace import NamespaceMagics
Fernando Perez
Create core.magics.osm according to new API.
r6965 from .osm import OSMagics
Jake VanderPlas
ENH: add pip and conda magics
r24880 from .packaging import PackagingMagics
Fernando Perez
Create core.magics.pylab according to new API.
r6968 from .pylab import PylabMagics
MinRK
add script magics...
r7299 from .script import ScriptMagics
Fernando Perez
Move UserMagics to core.magics
r6957
#-----------------------------------------------------------------------------
# Magic implementation classes
#-----------------------------------------------------------------------------
Fernando Perez
Renamed @register_magics to @magics_class to avoid confusion....
r6973 @magics_class
Fernando Perez
Move UserMagics to core.magics
r6957 class UserMagics(Magics):
"""Placeholder for user-defined magics to be added at runtime.
All magics are eventually merged into a single namespace at runtime, but we
use this class to isolate the magics defined dynamically by the user into
their own class.
"""