##// END OF EJS Templates
Fix CVE-2023-24816 by removing legacy code....
Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

File last commit:

r25147:babedc8a
r28089:991849c2
Show More
Makefile
74 lines | 1.4 KiB | text/x-makefile | MakefileLexer
# Set this prefix to where you want to install the plugin
PREFIX=/usr/local
NOSE0=nosetests -vs --with-doctest --doctest-tests --detailed-errors
NOSE=nosetests -vvs --with-ipdoctest --doctest-tests --doctest-extension=txt \
--detailed-errors
SRC=ipdoctest.py setup.py ../decorators.py
# Default target for clean 'make'
default: interactiveshell
# The actual plugin installation
plugin: IPython_doctest_plugin.egg-info
# Simple targets that test one thing
simple: plugin simple.py
$(NOSE) simple.py
dtest: plugin dtexample.py
$(NOSE) dtexample.py
rtest: plugin test_refs.py
$(NOSE) test_refs.py
test: plugin dtexample.py
$(NOSE) dtexample.py test*.py test*.txt
deb: plugin dtexample.py
$(NOSE) test_combo.txt
# IPython tests
deco:
$(NOSE0) IPython.testing.decorators
magic: plugin
$(NOSE) IPython.core.magic
excolors: plugin
$(NOSE) IPython.core.excolors
interactiveshell: plugin
$(NOSE) IPython.core.interactiveshell
strd: plugin
$(NOSE) IPython.core.strdispatch
engine: plugin
$(NOSE) IPython.kernel
tf: plugin
$(NOSE) IPython.config.traitlets
# All of ipython itself
ipython: plugin
$(NOSE) IPython
# Combined targets
sr: rtest strd
base: dtest rtest test strd deco
quick: base interactiveshell ipipe
all: base ipython
# Main plugin and cleanup
IPython_doctest_plugin.egg-info: $(SRC)
pip install . --prefix=$(PREFIX)
touch $@
clean:
rm -rf IPython_doctest_plugin.egg-info *~ *pyc build/ dist/