##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r27495:1a9d9554
r28089:991849c2
Show More
packaging.py
112 lines | 3.8 KiB | text/x-python | PythonLexer
Jake VanderPlas
ENH: add pip and conda magics
r24880 """Implementation of packaging-related magic functions.
"""
#-----------------------------------------------------------------------------
# Copyright (c) 2018 The IPython Development Team.
#
# Distributed under the terms of the Modified BSD License.
#
# The full license is in the file COPYING.txt, distributed with this software.
#-----------------------------------------------------------------------------
import re
import shlex
import sys
Justin Palmer
Fix capitalization on pathlib import
r26107 from pathlib import Path
Artur Svistunov
Revert "Fix for https://github.com/ipython/ipython/issues/13084"...
r26702
Jake VanderPlas
ENH: add pip and conda magics
r24880 from IPython.core.magic import Magics, magics_class, line_magic
def _is_conda_environment():
"""Return True if the current Python executable is in a conda env"""
# TODO: does this need to change on windows?
Blazej Michalik
core.magics.packaging: improve style
r26068 return Path(sys.prefix, "conda-meta", "history").exists()
Jake VanderPlas
ENH: add pip and conda magics
r24880
def _get_conda_executable():
"""Find the path to the conda executable"""
# Check if there is a conda executable in the same directory as the Python executable.
# This is the case within conda's root environment.
Blazej Michalik
core.magics.packaging: improve style
r26068 conda = Path(sys.executable).parent / "conda"
farisachugthai
BUG: `isfile` is not a method on Path objects...
r26254 if conda.is_file():
Blazej Michalik
core.magics.packaging: use pathlib
r26065 return str(conda)
Jake VanderPlas
ENH: add pip and conda magics
r24880
# Otherwise, attempt to extract the executable from conda history.
# This applies in any conda environment.
gousaiyang
Format code
r27495 history = Path(sys.prefix, "conda-meta", "history").read_text(encoding="utf-8")
Blazej Michalik
core.magics.packaging: improve re usage
r26069 match = re.search(
r"^#\s*cmd:\s*(?P<command>.*conda)\s[create|install]",
history,
flags=re.MULTILINE,
)
if match:
return match.groupdict()["command"]
farisachugthai
BUG: `isfile` is not a method on Path objects...
r26254
Jake VanderPlas
ENH: add pip and conda magics
r24880 # Fallback: assume conda is available on the system path.
return "conda"
CONDA_COMMANDS_REQUIRING_PREFIX = {
'install', 'list', 'remove', 'uninstall', 'update', 'upgrade',
}
CONDA_COMMANDS_REQUIRING_YES = {
'install', 'remove', 'uninstall', 'update', 'upgrade',
}
CONDA_ENV_FLAGS = {'-p', '--prefix', '-n', '--name'}
CONDA_YES_FLAGS = {'-y', '--y'}
@magics_class
class PackagingMagics(Magics):
"""Magics related to packaging & installation"""
@line_magic
def pip(self, line):
"""Run the pip package manager within the current kernel.
Usage:
%pip install [pkgs]
"""
Artur Svistunov
Default branch added
r26704 python = sys.executable
Blazej Michalik
Remove branching over whitespace in executable path
r26728 if sys.platform == "win32":
python = '"' + python + '"'
else:
python = shlex.quote(python)
Artur Svistunov
Use `"` for win32, shlex.quote - for any other platform if needed
r26703
Artur Svistunov
Revert "Fix for https://github.com/ipython/ipython/issues/13084"...
r26702 self.shell.system(" ".join([python, "-m", "pip", line]))
Arthur Svistunov
Fix path handling in `pip` line magic (#13052)...
r26650
Jake VanderPlas
print note about kernel restart after installing packages
r24883 print("Note: you may need to restart the kernel to use updated packages.")
Jake VanderPlas
ENH: add pip and conda magics
r24880
@line_magic
def conda(self, line):
"""Run the conda package manager within the current kernel.
farisachugthai
BUG: `isfile` is not a method on Path objects...
r26254
Jake VanderPlas
ENH: add pip and conda magics
r24880 Usage:
%conda install [pkgs]
"""
if not _is_conda_environment():
raise ValueError("The python kernel does not appear to be a conda environment. "
"Please use ``%pip install`` instead.")
farisachugthai
BUG: `isfile` is not a method on Path objects...
r26254
Jake VanderPlas
ENH: add pip and conda magics
r24880 conda = _get_conda_executable()
args = shlex.split(line)
farisachugthai
BUG: Don't index args unless we know we can...
r26255 command = args[0] if len(args) > 0 else ""
args = args[1:] if len(args) > 1 else [""]
Jake VanderPlas
ENH: add pip and conda magics
r24880 extra_args = []
# When the subprocess does not allow us to respond "yes" during the installation,
# we need to insert --yes in the argument list for some commands
stdin_disabled = getattr(self.shell, 'kernel', None) is not None
needs_yes = command in CONDA_COMMANDS_REQUIRING_YES
has_yes = set(args).intersection(CONDA_YES_FLAGS)
if stdin_disabled and needs_yes and not has_yes:
extra_args.append("--yes")
# Add --prefix to point conda installation to the current environment
needs_prefix = command in CONDA_COMMANDS_REQUIRING_PREFIX
has_prefix = set(args).intersection(CONDA_ENV_FLAGS)
if needs_prefix and not has_prefix:
extra_args.extend(["--prefix", sys.prefix])
Jake VanderPlas
print note about kernel restart after installing packages
r24883 self.shell.system(' '.join([conda, command] + extra_args + args))
Matthias Bussonnier
Cleanup unused imports.
r25335 print("\nNote: you may need to restart the kernel to use updated packages.")