upstream/ipython Files · IPython/utils/tests/test_pycolorize.py

Fix CVE-2023-24816 by removing legacy code....

Fix CVE-2023-24816 by removing legacy code. Remove legacy code that might trigger a CVE. Currently set_term_title is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control directory names, and manage to get a user cd into this directory the attacker can execute arbitrary commands contained in the folder names. Example: - On a windows machine where python is built without _ctypes, create a folder called && echo "pwn" > pwn.txt. This can be done by for example cloning a git repository. - call toggled_set_term_title(True), (or have the preference to true) - Open IPython and cd into this directory. - the folder now contain a pwn.txt, with pwn as content, despite the user not asking for any code execution. Workaround: Set the configuration option c.TerminalInteractiveShell.term_title_format='IPython' (or to any other fixed, safe string).

gousaiyang - - Load All Authors

File last commit:

r27494:23276ac4


                r28089:991849c2

Download file

             test_pycolorize.py
        
                    69 lines
            
             | 1.7 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / IPython / utils / tests / test_pycolorize.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      # coding: utf-8

      """Test suite for our color utilities.

      Authors

      -------

      * Min RK

      """

      #-----------------------------------------------------------------------------

      #  Copyright (C) 2011  The IPython Development Team

      #

      #  Distributed under the terms of the BSD License.  The full license is in

      #  the file COPYING.txt, distributed as part of this software.

      #-----------------------------------------------------------------------------

      #-----------------------------------------------------------------------------

      # Imports

      #-----------------------------------------------------------------------------

      # our own

      from IPython.utils.PyColorize import Parser

      import io

      import pytest

      @pytest.fixture(scope="module", params=("Linux", "NoColor", "LightBG", "Neutral"))

      def style(request):

          yield request.param

      #-----------------------------------------------------------------------------

      # Test functions

      #-----------------------------------------------------------------------------

      sample = """

      def function(arg, *args, kwarg=True, **kwargs):

          '''

          this is docs

          '''

          pass is True

          False == None

          with io.open(ru'unicode', encoding='utf-8'):

              raise ValueError("\n escape \r sequence")

          print("wěird ünicoðe")

      class Bar(Super):

          def __init__(self):

              super(Bar, self).__init__(1**2, 3^4, 5 or 6)

      """

      def test_parse_sample(style):

          """and test writing to a buffer"""

          buf = io.StringIO()

          p = Parser(style=style)

          p.format(sample, buf)

          buf.seek(0)

          f1 = buf.read()

          assert "ERROR" not in f1

      def test_parse_error(style):

          p = Parser(style=style)

          f1 = p.format(")", "str")

          if style != "NoColor":

              assert "ERROR" in f1

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				# coding: utf-8
				"""Test suite for our color utilities.

				Authors
				-------

				* Min RK
				"""
				#-----------------------------------------------------------------------------
				# Copyright (C) 2011 The IPython Development Team
				#
				# Distributed under the terms of the BSD License. The full license is in
				# the file COPYING.txt, distributed as part of this software.
				#-----------------------------------------------------------------------------

				#-----------------------------------------------------------------------------
				# Imports
				#-----------------------------------------------------------------------------

				# our own
				from IPython.utils.PyColorize import Parser
				import io
				import pytest


				@pytest.fixture(scope="module", params=("Linux", "NoColor", "LightBG", "Neutral"))
				def style(request):
				yield request.param

				#-----------------------------------------------------------------------------
				# Test functions
				#-----------------------------------------------------------------------------

				sample = """
				def function(arg, args, kwarg=True, *kwargs):
				'''
				this is docs
				'''
				pass is True
				False == None

				with io.open(ru'unicode', encoding='utf-8'):
				raise ValueError("\n escape \r sequence")

				print("wěird ünicoðe")

				class Bar(Super):

				def __init__(self):
				super(Bar, self).__init__(1**2, 3^4, 5 or 6)
				"""


				def test_parse_sample(style):
				"""and test writing to a buffer"""
				buf = io.StringIO()
				p = Parser(style=style)
				p.format(sample, buf)
				buf.seek(0)
				f1 = buf.read()

				assert "ERROR" not in f1


				def test_parse_error(style):
				p = Parser(style=style)
				f1 = p.format(")", "str")
				if style != "NoColor":
				assert "ERROR" in f1