platform._uname_cache is writeable

[pythonhacker]

BPO	23748
Nosy	@vstinner
Files	hack_uname.py

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-03-23.10:43:46.002>
created_at = <Date 2015-03-23.10:37:50.597>
labels = ['type-security', 'invalid', 'library']
title = 'platform._uname_cache is writeable'
updated_at = <Date 2015-03-23.12:18:47.830>
user = 'https://bugs.python.org/pythonhacker'

bugs.python.org fields:

activity = <Date 2015-03-23.12:18:47.830>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2015-03-23.10:43:46.002>
closer = 'vstinner'
components = ['Library (Lib)']
creation = <Date 2015-03-23.10:37:50.597>
creator = 'pythonhacker'
dependencies = []
files = ['38652']
hgrepos = []
issue_num = 23748
keywords = []
message_count = 6.0
messages = ['239005', '239007', '239008', '239009', '239010', '239011']
nosy_count = 2.0
nosy_names = ['vstinner', 'pythonhacker']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = None
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue23748'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5']

[pythonhacker]

>> import platform
>>> print 'Actual =>',platform.uname()
Actual => ('Linux', 'toshiba-laptop', '3.13.0-24-generic', '#47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014', 'x86_64', 'x86_64')
>>> import hack_uname
# Someone imports my module unaware of the hack (see attached file)
>>> platform.uname()
('Limux', 'hacker-laptop', '11.15.0-28000-absurd', '#10000 - FunkyDistro SMMP Fry Feb 30 2015 23:59:00 UTC 2015', 'x866_64', 'x866_64')

Fix - Make the global _uname_cache inaccessible via the module and hence unwriteable. I can provide a patch - it is kind of easy fix.

I think this might also be a security issue since if someone is writing a significant piece of code based on the platform it can screw up the system - or his web application if a piece of code like this is introduced in a module via his chain of imports by a malicious hacker.

[pythonhacker]

I am changing the type to security as I dont think this is a behaviour issue.

[vstinner]

we are all consenting adults here. Why do you modify a private attribute?

I am changing the type to security as I dont think this is a behaviour issue.

I don't understand why do you consider that it is a security vulnerability?

>>> import hack_uname
# Someone imports my module unaware of the hack (see attached file)

Your exploit starts by running untrusted Python code. Never do that. The vulnerability is the ability to load unstrusted Python code, not to modify the platform module.

I close the issue as not a bug.

[pythonhacker]

Hmmm... dear sir - what prevents you from adding an __all__ to the module with these cache variables excluded ?

[pythonhacker]

Closing is an easy fix, bet on my word this would appear as a different bug, thanks for your quickie fix!

[vstinner]

Hmmm... dear sir - what prevents you from adding an __all__ to the module with these cache variables excluded ?

You didn't understand the general philosophy, we are not hidding internals. For the specific case of platform._uname_cache, it uses the "_" prefix which is an indicator saying that "you are not supposed to modify it except if you really understand what do you". It's useful to have this variable modifiable, for unit tests for example.

I don't see how adding __all__ variable to the platform would change anything. Variables prefixed by "_" are already excluded when using "from platform import *".

If you don't understand the Python philosophy, please open a thread on python-ideas or even python-dev mailing list, to get a longer explanation.

Read also the PEP-20.