Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[experimental python] Local file inclusion #184

Closed
sephialife opened this issue Jan 19, 2016 · 3 comments
Closed

[experimental python] Local file inclusion #184

sephialife opened this issue Jan 19, 2016 · 3 comments

Comments

@sephialife
Copy link

Hey guys, i just took an look and it seems that its possible to read local files using python.
I know its an experimental feature, here is the code i tested:

import pprint
print "Hello, this is a Python script."
print "Hook['params'] is populated with request parameters"
pprint.pprint(open('/etc/resolv.conf','r').read())
@Marak
Copy link
Collaborator

Marak commented Jan 19, 2016

I believe that /etc/resolve.conf is a file that has been specifically placed inside your chroot jail.

Are you able to enumerate or access any files which may cause any security issues? The shared application space should be read-only and contain no sensitive information.

@Marak
Copy link
Collaborator

Marak commented Feb 21, 2016

Since we don't disallow reading the local files from the chroot jail, I'm going to close this issue for now.

If anyone finds any sensitive system data that can be accessed from within a hook service, please let me know.

@Marak Marak closed this as completed Feb 21, 2016
@pyhedgehog
Copy link

@sephialife, please join discussion important for python support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Marak @pyhedgehog @sephialife