[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] ipython3 may execute code from the current working directory




On 7/22/21 5:35 AM, Jakub Wilk wrote:
* Georgi Guninski <gguninski AT gmail.com>, 2021-07-22, 11:52:
Summary: under certain circumstances, ipython3 may execute code from the current working directory.

Looks like this might be intentional? Or at least there's an option to turn off this behavior:

https://github.com/ipython/ipython/blob/7.25.0/IPython/core/shellapp.py#L219

normally (cpython), an empty string in sys.path doesn't mean "current directory", it means "script directory", the directory the script you're running is found in [1]. that only falls back to current directory in case there is no script directory - which happens if you invoke the interpreter interactively . So maybe ipython isn't interpreting this the same way?

there have been more than one security concern about the way this makes it possible for untrusted modules to get loaded.

[1]  https://docs.python.org/3/library/sys.html#sys.path