security/bugfix: remove '' from sys.path

acapnotic CVS cvstoys-list@twistedmatrix.com
Mon Aug 18 00:20:01 2003


Modified files:
CVSToys/bin/loginfo 1.1 1.2
CVSToys/NEWS 1.27 1.28
CVSToys/ChangeLog 1.83 1.84

Log message:
security/bugfix: remove '' from sys.path

This is only a "security" fix if your commiters do not have shell
access anyway.


ViewCVS links:
http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/bin/loginfo.diff?r1=text&tr1=1.1&r2=text&tr2=1.2&cvsroot=CVSToys
http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/NEWS.diff?r1=text&tr1=1.27&r2=text&tr2=1.28&cvsroot=CVSToys
http://twistedmatrix.com/users/jh.twistd/viewcvs/cgi/viewcvs.cgi/ChangeLog.diff?r1=text&tr1=1.83&r2=text&tr2=1.84&cvsroot=CVSToys

Index: CVSToys/ChangeLog
diff -u CVSToys/ChangeLog:1.83 CVSToys/ChangeLog:1.84
--- CVSToys/ChangeLog:1.83	Sun Aug 17 19:32:24 2003
+++ CVSToys/ChangeLog	Sun Aug 17 22:18:56 2003
@@ -1,5 +1,8 @@
 2003-08-17  Kevin Turner  <acapnotic@twistedmatrix.com>
 
+	* bin/loginfo: 1.1 Security fix: remove '' from sys.path before loading
+	any modules.
+
 	* TODO: 1.26 Lots of new things to do, gathered from the mailing list.
 
 2003-04-19  Kevin Turner  <acapnotic@twistedmatrix.com>

Index: CVSToys/bin/loginfo
diff -u CVSToys/bin/loginfo:1.1 CVSToys/bin/loginfo:1.2
--- CVSToys/bin/loginfo:1.1	Mon Sep  9 13:35:31 2002
+++ CVSToys/bin/loginfo	Sun Aug 17 22:18:56 2003
@@ -1,4 +1,25 @@
 #!/usr/bin/env python
-# $Id: loginfo,v 1.1 2002/09/09 20:35:31 acapnotic Exp $
+# $Id: loginfo,v 1.2 2003/08/18 05:18:56 acapnotic Exp $
+
+import sys
+try:
+    # Ok, this is one of those bits of code which needs commenting.  Problem
+    # is, this script may be invoked in such a way that Python adds '' to
+    # the beginning of sys.path, and CVS seems to run commitinfo scripts
+    # from a directory in which there are copies of the files waiting to be
+    # checked in.  The result is that if you are checking in a file whose name
+    # conflicts with something in the top-level module namespace, (i.e. most
+    # anything in the standard library, such as 'token.py'), and that module
+    # is imported by any code used by this process, Python will load that file
+    # instead of the module this code expects.
+    #   The effects of this range from not being able to check things in when
+    # Python throws an exception and gives a nonzero exit code to commitinfo,
+    # to a wide security hole if you thought you were giving people "CVS only"
+    # accounts.
+    #   Removing '' from the path should solve all that.
+    sys.path.remove('')
+except KeyError:
+    pass
+
 from cvstoys import loginfo
 loginfo.main()

Index: CVSToys/NEWS
diff -u CVSToys/NEWS:1.27 CVSToys/NEWS:1.28
--- CVSToys/NEWS:1.27	Sun Apr 20 00:00:18 2003
+++ CVSToys/NEWS	Sun Aug 17 22:18:56 2003
@@ -1,3 +1,12 @@
+Version 1.0.9, NOTYET
+
+ * Security fix: Remove '' from sys.path before loading any modules for the
+   commitinfo script.  There was a bug here which could prevent you from
+   checking in files with certain names, and could also be exploited by a
+   malicious committer to run arbitrary code in what might otherwise be a
+   "CVS only" account.  (But if your commiters have full shell access, it
+   doesn't give them any permissions they did not have access to already.)
+
 Version 1.0.8, 4/20/2003
 
  * Brown paper bag release, don't crash when action is None.
@@ -114,4 +123,4 @@
  * First release.
 
 -- 
-$Id: NEWS,v 1.27 2003/04/20 07:00:18 acapnotic Exp $
+$Id: NEWS,v 1.28 2003/08/18 05:18:56 acapnotic Exp $