Show More
| @@ -60,6 +60,10 b" __author__ = '%s <%s>' % (release.author, release.author_email)" | |||||
| 60 | __license__ = release.license |
|
60 | __license__ = release.license | |
| 61 | __version__ = release.version |
|
61 | __version__ = release.version | |
| 62 | version_info = release.version_info |
|
62 | version_info = release.version_info | |
|
|
63 | # list of CVEs that should have been patched in this release. | |||
|
|
64 | # this is informational and should not be relied upon. | |||
|
|
65 | __patched_cves__ = {"CVE-2022-21699"} | |||
|
|
66 | ||||
| 63 |
|
67 | |||
| 64 | def embed_kernel(module=None, local_ns=None, **kwargs): |
|
68 | def embed_kernel(module=None, local_ns=None, **kwargs): | |
| 65 | """Embed and start an IPython kernel in a given scope. |
|
69 | """Embed and start an IPython kernel in a given scope. | |
| @@ -157,7 +157,7 b' class BaseIPythonApplication(Application):' | |||||
| 157 | config_file_paths = List(Unicode()) |
|
157 | config_file_paths = List(Unicode()) | |
| 158 | @default('config_file_paths') |
|
158 | @default('config_file_paths') | |
| 159 | def _config_file_paths_default(self): |
|
159 | def _config_file_paths_default(self): | |
| 160 |
return [ |
|
160 | return [] | |
| 161 |
|
161 | |||
| 162 | extra_config_file = Unicode( |
|
162 | extra_config_file = Unicode( | |
| 163 | help="""Path to an extra config file to load. |
|
163 | help="""Path to an extra config file to load. | |
| @@ -181,9 +181,10 b' class ProfileList(Application):' | |||||
| 181 | profiles = list_profiles_in(os.getcwd()) |
|
181 | profiles = list_profiles_in(os.getcwd()) | |
| 182 | if profiles: |
|
182 | if profiles: | |
| 183 | print() |
|
183 | print() | |
| 184 | print("Available profiles in current directory (%s):" % os.getcwd()) |
|
184 | print( | |
| 185 | self._print_profiles(profiles) |
|
185 | "Profiles from CWD have been removed for security reason, see CVE-2022-21699:" | |
| 186 |
|
186 | ) | ||
|
|
187 | ||||
| 187 | print() |
|
188 | print() | |
| 188 | print("To use any of the above profiles, start IPython with:") |
|
189 | print("To use any of the above profiles, start IPython with:") | |
| 189 | print(" ipython --profile=<name>") |
|
190 | print(" ipython --profile=<name>") | |
| @@ -188,7 +188,7 b' class ProfileDir(LoggingConfigurable):' | |||||
| 188 | is not found, a :class:`ProfileDirError` exception will be raised. |
|
188 | is not found, a :class:`ProfileDirError` exception will be raised. | |
| 189 |
|
189 | |||
| 190 | The search path algorithm is: |
|
190 | The search path algorithm is: | |
| 191 | 1. ``os.getcwd()`` |
|
191 | 1. ``os.getcwd()`` # removed for security reason. | |
| 192 | 2. ``ipython_dir`` |
|
192 | 2. ``ipython_dir`` | |
| 193 |
|
193 | |||
| 194 | Parameters |
|
194 | Parameters | |
| @@ -200,7 +200,7 b' class ProfileDir(LoggingConfigurable):' | |||||
| 200 | will be "profile_<profile>". |
|
200 | will be "profile_<profile>". | |
| 201 | """ |
|
201 | """ | |
| 202 | dirname = u'profile_' + name |
|
202 | dirname = u'profile_' + name | |
| 203 |
paths = [ |
|
203 | paths = [ipython_dir] | |
| 204 | for p in paths: |
|
204 | for p in paths: | |
| 205 | profile_dir = os.path.join(p, dirname) |
|
205 | profile_dir = os.path.join(p, dirname) | |
| 206 | if os.path.isdir(profile_dir): |
|
206 | if os.path.isdir(profile_dir): | |
| @@ -2,6 +2,48 b'' | |||||
| 2 | 8.x Series |
|
2 | 8.x Series | |
| 3 | ============ |
|
3 | ============ | |
| 4 |
|
4 | |||
|
|
5 | ||||
|
|
6 | IPython 8.0.1 (CVE-2022-21699) | |||
|
|
7 | ------------------------------ | |||
|
|
8 | ||||
|
|
9 | IPython 8.0.1, 7.31.1 and 5.11 are security releases that change some default | |||
|
|
10 | values in order to prevent potential Execution with Unnecessary Privileges. | |||
|
|
11 | ||||
|
|
12 | Almost all version of IPython looks for configuration and profiles in current | |||
|
|
13 | working directory. Since IPython was developed before pip and environments | |||
|
|
14 | existed it was used a convenient way to load code/packages in a project | |||
|
|
15 | dependant way. | |||
|
|
16 | ||||
|
|
17 | In 2022, it is not necessary anymore, and can lead to confusing behavior where | |||
|
|
18 | for example cloning a repository and starting IPython or loading a notebook from | |||
|
|
19 | any Jupyter-Compatible interface that has ipython set as a kernel can lead to | |||
|
|
20 | code execution. | |||
|
|
21 | ||||
|
|
22 | ||||
|
|
23 | I did not find any standard way for packaged to advertise CVEs they fix, I'm | |||
|
|
24 | thus trying to add a ``__patched_cves__`` attribute to the IPython module that | |||
|
|
25 | list the CVEs that should have been fixed. This attribute is informational only | |||
|
|
26 | as if a executable has a flaw, this value can always be changed by an attacker. | |||
|
|
27 | ||||
|
|
28 | .. code:: | |||
|
|
29 | ||||
|
|
30 | In [1]: import IPython | |||
|
|
31 | ||||
|
|
32 | In [2]: IPython.__patched_cves__ | |||
|
|
33 | Out[2]: {'CVE-2022-21699'} | |||
|
|
34 | ||||
|
|
35 | In [3]: 'CVE-2022-21699' in IPython.__patched_cves__ | |||
|
|
36 | Out[3]: True | |||
|
|
37 | ||||
|
|
38 | Thus starting with this version: | |||
|
|
39 | ||||
|
|
40 | - The current working directory is not searched anymore for profiles or | |||
|
|
41 | configurations files. | |||
|
|
42 | - Added a ``__patched_cves__`` attribute (set of strings) to IPython module that contain | |||
|
|
43 | the list of fixed CVE. This is informational only. | |||
|
|
44 | ||||
|
|
45 | ||||
|
|
46 | ||||
| 5 | IPython 8.0 |
|
47 | IPython 8.0 | |
| 6 | ----------- |
|
48 | ----------- | |
| 7 |
|
49 | |||
General Comments 0
You need to be logged in to leave comments.
Login now