Skip to main content

Posts

Showing posts from August 23, 2020

Never run "python" in your "Downloads" folder

One of the wonderful things about Python is the ease with which you can start writing a script - just drop some code into a.pyfile, and runpython my_file.py. Similarly it’s easy to get started with modularity: splitmy_file.pyintomy_app.pyandmy_lib.py, and you canimport my_libfrommy_app.pyand start organizing your code into modules.However, the details of the machinery that makes this work have some surprising, and sometimes very security-critical consequences: the more convenient it is for you to execute code from different locations, the more opportunities an attacker has to execute it as well...Python needs a safe space to load code fromHere are three critical assumptions embedded in Python’s security model:Every entry on sys.path is assumed to be a secure location from which it is safe to execute arbitrary code.The directory where the “main script” is located is always on sys.path.When invoking python directly, the current directory is treated as the “main script” location, even wh…