upstream/ipython Files · IPython/core/tests/tclass.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Paul Ivanov - - Load All Authors

File last commit:

r22963:2961b531


                r28089:991849c2

Download file

             tclass.py
        
                    34 lines
            
             | 921 B
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / core / tests / tclass.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      """Simple script to be run *twice*, to check reference counting bugs.

      See test_run for details."""

      import sys

      # We want to ensure that while objects remain available for immediate access,

      # objects from *previous* runs of the same script get collected, to avoid

      # accumulating massive amounts of old references.

      class C(object):

          def __init__(self,name):

              self.name = name

              self.p = print

              self.flush_stdout = sys.stdout.flush

          def __del__(self):

              self.p('tclass.py: deleting object:',self.name)

              self.flush_stdout()

      try:

          name = sys.argv[1]

      except IndexError:

          pass

      else:

          if name.startswith('C'):

              c = C(name)

      #print >> sys.stderr, "ARGV:", sys.argv  # dbg

      # This next print statement is NOT debugging, we're making the check on a

      # completely separate process so we verify by capturing stdout:

      print('ARGV 1-:', sys.argv[1:])

      sys.stdout.flush()

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				"""Simple script to be run twice, to check reference counting bugs.

				See test_run for details."""


				import sys

				# We want to ensure that while objects remain available for immediate access,
				# objects from previous runs of the same script get collected, to avoid
				# accumulating massive amounts of old references.
				class C(object):
				def __init__(self,name):
				self.name = name
				self.p = print
				self.flush_stdout = sys.stdout.flush

				def __del__(self):
				self.p('tclass.py: deleting object:',self.name)
				self.flush_stdout()

				try:
				name = sys.argv[1]
				except IndexError:
				pass
				else:
				if name.startswith('C'):
				c = C(name)

				#print >> sys.stderr, "ARGV:", sys.argv # dbg

				# This next print statement is NOT debugging, we're making the check on a
				# completely separate process so we verify by capturing stdout:
				print('ARGV 1-:', sys.argv[1:])
				sys.stdout.flush()