oss-sec mailing list archives
Re: Pylint checks not as static as one would think
From: Jakub Wilk <jwilk () jwilk net>
Date: Tue, 12 Jul 2016 11:14:53 +0200
* Jakub Wilk <jwilk () jwilk net>, 2014-09-29, 14:32:
$ cat moo.py from _moo import * $ cat moo.c #include <stdio.h> #include <signal.h> void __attribute__((constructor)) moo() { printf("moo!\n"); kill(0, SIGSEGV); } $ gcc -Wall -shared -fPIC moo.c -o _moo.so $ pylint moo.py No config file found, using default configuration moo! Segmentation fault
This was fixed in Pylint 1.4.0: | * Added new options for controlling the loading of C extensions. | By default, only C extensions from the stdlib will be loaded | into the active Python interpreter for inspection, because they | can run arbitrary code on import. The option | `--extension-pkg-whitelist` can be used to specify modules | or packages that are safe to load.Beware that by default Pylint reads configuration file from cwd, and this configuration file can whitelist malicious extensions. You probably want to use --rcfile=/dev/null when cwd is untrusted.
And here's another code execution bug: https://github.com/PyCQA/pylint/issues/959 -- Jakub Wilk
Current thread:
- Re: Pylint checks not as static as one would think Jakub Wilk (Jul 12)