upstream/ipython Files · IPython/core/magics/__init__.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Jake VanderPlas - - Load All Authors

File last commit:

r24880:8168be55


                r28089:991849c2

Download file

             __init__.py
        
                    42 lines
            
             | 1.6 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / core / magics / __init__.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      """Implementation of all the magic functions built into IPython.

      """

      #-----------------------------------------------------------------------------

      #  Copyright (c) 2012 The IPython Development Team.

      #

      #  Distributed under the terms of the Modified BSD License.

      #

      #  The full license is in the file COPYING.txt, distributed with this software.

      #-----------------------------------------------------------------------------

      #-----------------------------------------------------------------------------

      # Imports

      #-----------------------------------------------------------------------------

      from ..magic import Magics, magics_class

      from .auto import AutoMagics

      from .basic import BasicMagics, AsyncMagics

      from .code import CodeMagics, MacroToEdit

      from .config import ConfigMagics

      from .display import DisplayMagics

      from .execution import ExecutionMagics

      from .extension import ExtensionMagics

      from .history import HistoryMagics

      from .logging import LoggingMagics

      from .namespace import NamespaceMagics

      from .osm import OSMagics

      from .packaging import PackagingMagics

      from .pylab import PylabMagics

      from .script import ScriptMagics

      #-----------------------------------------------------------------------------

      # Magic implementation classes

      #-----------------------------------------------------------------------------

      @magics_class

      class UserMagics(Magics):

          """Placeholder for user-defined magics to be added at runtime.

          All magics are eventually merged into a single namespace at runtime, but we

          use this class to isolate the magics defined dynamically by the user into

          their own class.

          """

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				"""Implementation of all the magic functions built into IPython.
				"""
				#-----------------------------------------------------------------------------
				# Copyright (c) 2012 The IPython Development Team.
				#
				# Distributed under the terms of the Modified BSD License.
				#
				# The full license is in the file COPYING.txt, distributed with this software.
				#-----------------------------------------------------------------------------

				#-----------------------------------------------------------------------------
				# Imports
				#-----------------------------------------------------------------------------

				from ..magic import Magics, magics_class
				from .auto import AutoMagics
				from .basic import BasicMagics, AsyncMagics
				from .code import CodeMagics, MacroToEdit
				from .config import ConfigMagics
				from .display import DisplayMagics
				from .execution import ExecutionMagics
				from .extension import ExtensionMagics
				from .history import HistoryMagics
				from .logging import LoggingMagics
				from .namespace import NamespaceMagics
				from .osm import OSMagics
				from .packaging import PackagingMagics
				from .pylab import PylabMagics
				from .script import ScriptMagics

				#-----------------------------------------------------------------------------
				# Magic implementation classes
				#-----------------------------------------------------------------------------

				@magics_class
				class UserMagics(Magics):
				"""Placeholder for user-defined magics to be added at runtime.

				All magics are eventually merged into a single namespace at runtime, but we
				use this class to isolate the magics defined dynamically by the user into
				their own class.
				"""