##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r23699:adf10a5a
r28089:991849c2
Show More
prompts.py
21 lines | 607 B | text/x-python | PythonLexer
# -*- coding: utf-8 -*-
"""Being removed
"""
class LazyEvaluate(object):
"""This is used for formatting strings with values that need to be updated
at that time, such as the current time or working directory."""
def __init__(self, func, *args, **kwargs):
self.func = func
self.args = args
self.kwargs = kwargs
def __call__(self, **kwargs):
self.kwargs.update(kwargs)
return self.func(*self.args, **self.kwargs)
def __str__(self):
return str(self())
def __format__(self, format_spec):
return format(self(), format_spec)