upstream/ipython Files · IPython/core/tests/refbug.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Matthias Bussonnier - - Load All Authors

File last commit:

r25335:5a8935c7


                r28089:991849c2

Download file

             refbug.py
        
                    46 lines
            
             | 1.5 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / core / tests / refbug.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      """Minimal script to reproduce our nasty reference counting bug.

      The problem is related to https://github.com/ipython/ipython/issues/141

      The original fix for that appeared to work, but John D. Hunter found a

      matplotlib example which, when run twice in a row, would break.  The problem

      were references held by open figures to internals of Tkinter.

      This code reproduces the problem that John saw, without matplotlib.

      This script is meant to be called by other parts of the test suite that call it

      via %run as if it were executed interactively by the user. As of 2011-05-29,

      test_run.py calls it.

      """

      #-----------------------------------------------------------------------------

      # Module imports

      #-----------------------------------------------------------------------------

      from IPython import get_ipython

      #-----------------------------------------------------------------------------

      # Globals

      #-----------------------------------------------------------------------------

      # This needs to be here because nose and other test runners will import

      # this module. Importing this module has potential side effects that we

      # want to prevent.

      if __name__ == '__main__':

          ip = get_ipython()

          if not '_refbug_cache' in ip.user_ns:

              ip.user_ns['_refbug_cache'] = []

          aglobal = 'Hello'

          def f():

              return aglobal

          cache = ip.user_ns['_refbug_cache']

          cache.append(f)

          def call_f():

              for func in cache:

                  print('lowercased:',func().lower())

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				"""Minimal script to reproduce our nasty reference counting bug.

				The problem is related to https://github.com/ipython/ipython/issues/141

				The original fix for that appeared to work, but John D. Hunter found a
				matplotlib example which, when run twice in a row, would break. The problem
				were references held by open figures to internals of Tkinter.

				This code reproduces the problem that John saw, without matplotlib.

				This script is meant to be called by other parts of the test suite that call it
				via %run as if it were executed interactively by the user. As of 2011-05-29,
				test_run.py calls it.
				"""

				#-----------------------------------------------------------------------------
				# Module imports
				#-----------------------------------------------------------------------------

				from IPython import get_ipython

				#-----------------------------------------------------------------------------
				# Globals
				#-----------------------------------------------------------------------------

				# This needs to be here because nose and other test runners will import
				# this module. Importing this module has potential side effects that we
				# want to prevent.
				if __name__ == '__main__':

				ip = get_ipython()

				if not '_refbug_cache' in ip.user_ns:
				ip.user_ns['_refbug_cache'] = []


				aglobal = 'Hello'
				def f():
				return aglobal

				cache = ip.user_ns['_refbug_cache']
				cache.append(f)

				def call_f():
				for func in cache:
				print('lowercased:',func().lower())