are module imports safe?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
oslo.privsep |
Opinion
|
Undecided
|
Unassigned |
Bug Description
Hello, I'm conducting a very quick review of oslo.privsep as part of the
Main Inclusion Process for Ubuntu.
I'm curious how oslo.privsep prevents malicious imports:
def _process_cmd(self, cmd, *args):
if cmd == Message.PING:
return (Message.
elif cmd == Message.CALL:
name, f_args, f_kwargs = args
func = importutils.
if not self.context.
msg = _('Invalid privsep function: %s not exported') % name
ret = func(*f_args, **f_kwargs)
return (Message.RET.value, ret)
raise ProtocolError(
This calls importutils.
untrusted source.
import_class() doesn't appear to do any filtering of any sort to prevent
specifying module paths that aren't allowed:
def import_
"""Returns a class from a string including module and class.
.. versionadded:: 0.3
"""
mod_str, _sep, class_str = import_
__import_
try:
return getattr(
except AttributeError:
raise ImportError('Class %s cannot be found (%s)' %
A few versions of Python documentation don't describe any attempts to
filter __import__() to only trusted module loading paths:
https:/
https:/
Is it necessary to allow arbitrary module loading? This has caused no end
of trouble for the Java community. (See posts from Security Explorations
to full-disclosure for the last four or five years.)
Thanks
description: | updated |
Changed in ossa: | |
status: | Won't Fix → Invalid |
information type: | Public Security → Public |
I added a manual subscription to hopefully make these visible. If that didn't do it, I'll just open them public.
Thanks