##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r27909:017b677e merge
r28089:991849c2
Show More
test_pygments.py
26 lines | 824 B | text/x-python | PythonLexer
Nicholas Bollweg
Merge remote-tracking branch 'upstream/main' into gh-13845-fix-pygments-entry-points
r27909 from typing import List
import pytest
import pygments.lexers
import pygments.lexer
from IPython.lib.lexers import IPythonConsoleLexer, IPythonLexer, IPython3Lexer
#: the human-readable names of the IPython lexers with ``entry_points``
EXPECTED_LEXER_NAMES = [
cls.name for cls in [IPythonConsoleLexer, IPythonLexer, IPython3Lexer]
]
@pytest.fixture
def all_pygments_lexer_names() -> List[str]:
"""Get all lexer names registered in pygments."""
return {l[0] for l in pygments.lexers.get_all_lexers()}
@pytest.mark.parametrize("expected_lexer", EXPECTED_LEXER_NAMES)
def test_pygments_entry_points(
expected_lexer: str, all_pygments_lexer_names: List[str]
) -> None:
"""Check whether the ``entry_points`` for ``pygments.lexers`` are correct."""
assert expected_lexer in all_pygments_lexer_names