Security risk of hidden pth files #113659

serhiy-storchaka · 2024-01-02T17:52:02Z

"pth files are evil." (Barry Warsaw, #78125)

There is a special kind of evilness:

pth files allow to execute arbitrary Python code.
pth files are executed automatically, unlike to normal py files which need explicit import or passing as argument to Python interpreter.
Some files are hidden by default (in shell and file managers). In particularly dot-files on Posix.

In sum, it increases the risk of executing malicious code. When you receive a handful of files, you, as a cautious person, check their contents before executing. If Python source files are hidden, it's okay, because you saw that nothing suspicious is imported in the files that you execute. But pth files can be executed even if you do not see them and there are no references in visible files.

This issue was first discussed in comments in #113357.

The severity of this issue is not very large, because it requires user interaction to activate. But it increases the risk. I think we should forbid processing hidden pth files.

Linked PRs

gh-113659: Skip hidden .pth files #113660

serhiy-storchaka added type-security A security issue 3.11 bug and security fixes 3.10 only security fixes 3.9 only security fixes 3.8 only security fixes 3.12 bugs and security fixes 3.13 new features, bugs and security fixes labels Jan 2, 2024

serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this issue Jan 2, 2024

pythongh-113659: Skip hidden .pth files

499fb95

bedevere-app bot mentioned this issue Jan 2, 2024

gh-113659: Skip hidden .pth files #113660

Open

serhiy-storchaka mentioned this issue Jan 2, 2024

gh-113356: Ignore errors in "._ABC.pth" #113357

Open

Security risk of hidden pth files #113659

Security risk of hidden pth files #113659

Comments

serhiy-storchaka commented Jan 2, 2024 • edited by bedevere-app bot

Linked PRs

serhiy-storchaka commented Jan 2, 2024 •

edited by bedevere-app bot