Skip to main content

Posts

Showing posts from August 23, 2020

Never run "python" in your "Downloads" folder

  One of the wonderful things about Python is the ease with which you can start writing a script - just drop some code into a   .py   file, and run   python my_file.py . Similarly it’s easy to get started with modularity: split   my_file.py   into   my_app.py   and   my_lib.py , and you can   import my_lib   from   my_app.py   and start organizing your code into modules. However, the details of the machinery that makes this work have some surprising, and sometimes  very  security-critical consequences: the more convenient it is for  you  to execute code from different locations, the more opportunities an attacker has to execute it as well... Python needs a safe space to load code from Here are three critical assumptions embedded in Python’s security model: Every entry on  sys.path  is assumed to be a secure location from which it is safe to execute arbitrary code. The directory where the “main script” is located is always on  sys.path . When invoking  python  directly, the  current dir