SF bug 533625 (Armin Rigo). rexec: potential security hole

If a rexec instance allows writing in the current directory (a common thing to do), there's a way to execute bogus bytecode. Fix this by not allowing imports from .pyc files (in a way that allows a site to configure things so that .pyc files *are* allowed, if writing is not allowed). I'll apply this to 2.2 and 2.1 too.
2025-08-03 00:23:06 +00:00 · 2002-05-31 21:12:53 +00:00 · 2002-05-31 21:12:53 +00:00 · 59b2a74c75
commit 59b2a74c75
parent 9788384d02
2 changed files with 23 additions and 1 deletions
--- a/Doc/lib/librexec.tex
+++ b/Doc/lib/librexec.tex
@ -211,6 +211,18 @@ environment.  The value for \class{RExec} is \code{('ps1', 'ps2',
 'copyright', 'version', 'platform', 'exit', 'maxint')}.
 \end{memberdesc}

+\begin{memberdesc}{ok_file_types}
+Contains the file types from which modules are allowed to be loaded.
+Each file type is an integer constant defined in the \refmodule{imp} module.
+The meaningful values are \constant{PY_SOURCE}, \constant{PY_COMPILED}, and
+\constant{C_EXTENSION}.  The value for \class{RExec} is \code{(C_EXTENSION,
+PY_SOURCE)}.  Adding \constant{PY_COMPILED} in subclasses is not recommended;
+an attacker could exit the restricted execution mode by putting a forged
+byte-compiled file (\file{.pyc}) anywhere in your file system, for example
+by writing it to \file{/tmp} or uploading it to the \file{/incoming}
+directory of your public FTP server.
+\end{memberdesc}
+

 \subsection{An example}