##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r27509:42e22f8e
r28089:991849c2
Show More
test_logger.py
27 lines | 776 B | text/x-python | PythonLexer
Fernando Perez
Add missing encoding declaration to file with unicode in it.
r7115 # -*- coding: utf-8 -*-
Thomas Kluyver
Add test that, if we failed to open the log file, we don't try to write to it.
r3889 """Test IPython.core.logger"""
Thomas Kluyver
Add test for unicode in logging.
r7082 import os.path
Matthias Bussonnier
MAINT: cleanup imports of tempdir....
r27509
Tomasz Kłoczko
nose2pytest migration batch 1...
r26749 import pytest
Matthias Bussonnier
MAINT: cleanup imports of tempdir....
r27509 from tempfile import TemporaryDirectory
Thomas Kluyver
Add test for unicode in logging.
r7082
Thomas Kluyver
Add test that, if we failed to open the log file, we don't try to write to it.
r3889
def test_logstart_inaccessible_file():
Nikita Kniazev
Rewrite bunch of `raise AssertionError` and `assert False` tests
r27087 with pytest.raises(IOError):
Thomas Kluyver
Add test that, if we failed to open the log file, we don't try to write to it.
r3889 _ip.logger.logstart(logfname="/") # Opening that filename will fail.
Blazej Michalik
Darker
r26750
Thomas Kluyver
Add test that, if we failed to open the log file, we don't try to write to it.
r3889 try:
_ip.run_cell("a=1") # Check it doesn't try to log this
finally:
_ip.logger.log_active = False # If this fails, don't let later tests fail
Thomas Kluyver
Add test for unicode in logging.
r7082
def test_logstart_unicode():
with TemporaryDirectory() as tdir:
logfname = os.path.join(tdir, "test_unicode.log")
_ip.run_cell("'abc€'")
try:
_ip.magic("logstart -to %s" % logfname)
_ip.run_cell("'abc€'")
finally:
_ip.logger.logstop()