##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r26716:4142eaaf
r28089:991849c2
Show More
test_editorhooks.py
32 lines | 884 B | text/x-python | PythonLexer
/ IPython / lib / tests / test_editorhooks.py
Min RK
fix editorhooks typo...
r18869 """Test installing editor hooks"""
import sys
Srinivas Reddy Thatiparthy
import mock from unittest
r23058 from unittest import mock
Min RK
fix editorhooks typo...
r18869
from IPython import get_ipython
from IPython.lib import editorhooks
def test_install_editor():
called = []
def fake_popen(*args, **kwargs):
called.append({
'args': args,
'kwargs': kwargs,
})
Segev Finer
IPython/lib/editorhooks.py: wait for process even if wait=False...
r23294 return mock.MagicMock(**{'wait.return_value': 0})
Min RK
fix editorhooks typo...
r18869 editorhooks.install_editor('foo -l {line} -f {filename}', wait=False)
with mock.patch('subprocess.Popen', fake_popen):
get_ipython().hooks.editor('the file', 64)
Matthias Bussonnier
remove nose tools from test_editorhooks
r26716 assert len(called) == 1
args = called[0]["args"]
kwargs = called[0]["kwargs"]
assert kwargs == {"shell": True}
if sys.platform.startswith("win"):
expected = ["foo", "-l", "64", "-f", "the file"]
Min RK
fix editorhooks typo...
r18869 else:
expected = "foo -l 64 -f 'the file'"
cmd = args[0]
Matthias Bussonnier
remove nose tools from test_editorhooks
r26716 assert cmd == expected