##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r21253:ff3b995a
r28089:991849c2
Show More
payload.py
55 lines | 1.7 KiB | text/x-python | PythonLexer
# -*- coding: utf-8 -*-
"""Payload system for IPython.
Authors:
* Fernando Perez
* Brian Granger
"""
#-----------------------------------------------------------------------------
# Copyright (C) 2008-2011 The IPython Development Team
#
# Distributed under the terms of the BSD License. The full license is in
# the file COPYING, distributed as part of this software.
#-----------------------------------------------------------------------------
#-----------------------------------------------------------------------------
# Imports
#-----------------------------------------------------------------------------
from traitlets.config.configurable import Configurable
from traitlets import List
#-----------------------------------------------------------------------------
# Main payload class
#-----------------------------------------------------------------------------
class PayloadManager(Configurable):
_payload = List([])
def write_payload(self, data, single=True):
"""Include or update the specified `data` payload in the PayloadManager.
If a previous payload with the same source exists and `single` is True,
it will be overwritten with the new one.
"""
if not isinstance(data, dict):
raise TypeError('Each payload write must be a dict, got: %r' % data)
if single and 'source' in data:
source = data['source']
for i, pl in enumerate(self._payload):
if 'source' in pl and pl['source'] == source:
self._payload[i] = data
return
self._payload.append(data)
def read_payload(self):
return self._payload
def clear_payload(self):
self._payload = []