upstream/ipython Files · IPython/testing/plugin

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Konstantin Weddige -


            r28089:991849c2

Name	Size	Modified	Last Commit	Author
/ IPython / testing / plugin
Makefile	Loading ...
README.txt	Loading ...
__init__.py	Loading ...
dtexample.py	Loading ...
ipdoctest.py	Loading ...
pytest_ipdoctest.py	Loading ...
setup.py	Loading ...
simple.py	Loading ...
simplevars.py	Loading ...
test_combo.txt	Loading ...
test_example.txt	Loading ...
test_exampleip.txt	Loading ...
test_ipdoctest.py	Loading ...
test_refs.py	Loading ...

IPython/testing/plugin/README.txt

            
=======================================================
 Nose plugin with IPython and extension module support
=======================================================

This directory provides the key functionality for test support that IPython
needs as a nose plugin, which can be installed for use in projects other than
IPython.

The presence of a Makefile here is mostly for development and debugging
purposes as it only provides a few shorthand commands.  You can manually
install the plugin by using standard Python procedures (``setup.py install``
with appropriate arguments).

To install the plugin using the Makefile, edit its first line to reflect where
you'd like the installation.

Once you've set the prefix, simply build/install the plugin with::

  make

and run the tests with::

  make test

You should see output similar to::

  maqroll[plugin]> make test
  nosetests -s --with-ipdoctest --doctest-tests dtexample.py
  ..
  ----------------------------------------------------------------------
  Ran 2 tests in 0.016s

  OK

          

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages