upstream/ipython Files · IPython/testing/skipdoctest.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Nikita Kniazev - - Load All Authors

File last commit:

r26873:17153999


                r28089:991849c2

Download file

             skipdoctest.py
        
                    19 lines
            
             | 717 B
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / testing / skipdoctest.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      """Decorators marks that a doctest should be skipped.

      The IPython.testing.decorators module triggers various extra imports, including

      numpy and sympy if they're present. Since this decorator is used in core parts

      of IPython, it's in a separate module so that running IPython doesn't trigger

      those imports."""

      # Copyright (C) IPython Development Team

      # Distributed under the terms of the Modified BSD License.

      def skip_doctest(f):

          """Decorator - mark a function or method for skipping its doctest.

          This decorator allows you to mark a function whose docstring you wish to

          omit from testing, while preserving the docstring for introspection, help,

          etc."""

          f.__skip_doctest__ = True

          return f

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				"""Decorators marks that a doctest should be skipped.

				The IPython.testing.decorators module triggers various extra imports, including
				numpy and sympy if they're present. Since this decorator is used in core parts
				of IPython, it's in a separate module so that running IPython doesn't trigger
				those imports."""

				# Copyright (C) IPython Development Team
				# Distributed under the terms of the Modified BSD License.


				def skip_doctest(f):
				"""Decorator - mark a function or method for skipping its doctest.

				This decorator allows you to mark a function whose docstring you wish to
				omit from testing, while preserving the docstring for introspection, help,
				etc."""
				f.__skip_doctest__ = True
				return f