Opened 9 years ago

Last modified 3 years ago

#13579 closed defect

test_executable security risk — at Version 5

Reported by: vbraun Owned by: mvngu
Priority: blocker Milestone: sage-5.4
Component: doctest coverage Keywords:
Cc: jdemeyer Merged in:
Authors: Jeroen Demeyer, Volker Braun Reviewers: Volker Braun, Jeroen Demeyer
Report Upstream: Reported upstream. No feedback yet. Work issues:
Branch: Commit:
Dependencies: Stopgaps:

Status badges

Description (last modified by vbraun)

test_executable runs various executables in /tmp. When running a script, Python puts the directory containing that script in sys.path. Therefore, it is trivial for any user to have code executed by the user running the doctests. For example:

[eviluser@hostname ~]$ echo 'print "EVIL!!"' > /tmp/socket.py
...
[vbraun@hostname ~]$ sage -t -force_lib devel/sage/sage/tests/cmdline.py
sage -t -force_lib "devel/sage/sage/tests/cmdline.py"       
**********************************************************************
File "/home/vbraun/opt/sage-5.4.beta1/devel/sage/sage/tests/cmdline.py", line 248:
    sage: print out
Expected:
    1
Got:
    EVIL!!

test_executable should securely create a temp directory and run the executable in there.

Apply 13579_secure_tmp.patch, trac_13579_fix_test_executable.patch to the Sage library.

Change History (6)

comment:1 Changed 9 years ago by jdemeyer

  • Description modified (diff)

comment:2 Changed 9 years ago by jdemeyer

  • Milestone changed from sage-5.5 to sage-5.4

Changed 9 years ago by jdemeyer

comment:3 Changed 9 years ago by vbraun

Oops, looks like we did it at the same time.

comment:4 Changed 9 years ago by vbraun

  • Authors set to Jeroen Demeyer, Volker Braun
  • Description modified (diff)
  • Reviewers set to Volker Braun, Jeroen Demeyer
  • Status changed from new to needs_review

I'm fine with your patch. All doctests pass with both patches applied.

comment:5 Changed 9 years ago by vbraun

  • Description modified (diff)
Note: See TracTickets for help on using tickets.