upstream/ipython Files · IPython/utils/py3compat.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

Matthias Bussonnier - - Load All Authors

File last commit:

r27224:8d544141


                r28089:991849c2

Download file

             py3compat.py
        
                    67 lines
            
             | 1.6 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / utils / py3compat.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      # coding: utf-8

      """Compatibility tricks for Python 3. Mainly to do with unicode.

      This file is deprecated and will be removed in a future version.

      """

      import platform

      import builtins as builtin_mod

      from .encoding import DEFAULT_ENCODING

      def decode(s, encoding=None):

          encoding = encoding or DEFAULT_ENCODING

          return s.decode(encoding, "replace")

      def encode(u, encoding=None):

          encoding = encoding or DEFAULT_ENCODING

          return u.encode(encoding, "replace")

      def cast_unicode(s, encoding=None):

          if isinstance(s, bytes):

              return decode(s, encoding)

          return s

      def safe_unicode(e):

          """unicode(e) with various fallbacks. Used for exceptions, which may not be

          safe to call unicode() on.

          """

          try:

              return str(e)

          except UnicodeError:

              pass

          try:

              return repr(e)

          except UnicodeError:

              pass

          return "Unrecoverably corrupt evalue"

      # keep reference to builtin_mod because the kernel overrides that value

      # to forward requests to a frontend.

      def input(prompt=""):

          return builtin_mod.input(prompt)

      def execfile(fname, glob, loc=None, compiler=None):

          loc = loc if (loc is not None) else glob

          with open(fname, "rb") as f:

              compiler = compiler or compile

              exec(compiler(f.read(), fname, "exec"), glob, loc)

      PYPY = platform.python_implementation() == "PyPy"

      # Cython still rely on that as a Dec 28 2019

      # See https://github.com/cython/cython/pull/3291 and

      # https://github.com/ipython/ipython/issues/12068

      def no_code(x, encoding=None):

          return x

      unicode_to_str = cast_bytes_py2 = no_code

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				# coding: utf-8
				"""Compatibility tricks for Python 3. Mainly to do with unicode.

				This file is deprecated and will be removed in a future version.
				"""
				import platform
				import builtins as builtin_mod

				from .encoding import DEFAULT_ENCODING


				def decode(s, encoding=None):
				encoding = encoding or DEFAULT_ENCODING
				return s.decode(encoding, "replace")


				def encode(u, encoding=None):
				encoding = encoding or DEFAULT_ENCODING
				return u.encode(encoding, "replace")


				def cast_unicode(s, encoding=None):
				if isinstance(s, bytes):
				return decode(s, encoding)
				return s


				def safe_unicode(e):
				"""unicode(e) with various fallbacks. Used for exceptions, which may not be
				safe to call unicode() on.
				"""
				try:
				return str(e)
				except UnicodeError:
				pass

				try:
				return repr(e)
				except UnicodeError:
				pass

				return "Unrecoverably corrupt evalue"


				# keep reference to builtin_mod because the kernel overrides that value
				# to forward requests to a frontend.
				def input(prompt=""):
				return builtin_mod.input(prompt)


				def execfile(fname, glob, loc=None, compiler=None):
				loc = loc if (loc is not None) else glob
				with open(fname, "rb") as f:
				compiler = compiler or compile
				exec(compiler(f.read(), fname, "exec"), glob, loc)


				PYPY = platform.python_implementation() == "PyPy"

				# Cython still rely on that as a Dec 28 2019
				# See https://github.com/cython/cython/pull/3291 and
				# https://github.com/ipython/ipython/issues/12068
				def no_code(x, encoding=None):
				return x


				unicode_to_str = cast_bytes_py2 = no_code