PEP 446: add example of vulnerabilities
This commit is contained in:
Victor Stinner
parent
6196392414
commit
a3ed1793a7
46
pep-0446.txt
46
pep-0446.txt
|
|
@ -140,19 +140,6 @@ Two common issues with inherited file descriptors:
|
||||||
the server restarts while the program is not done: the server cannot
|
the server restarts while the program is not done: the server cannot
|
||||||
start because the TCP port is still in use.
|
start because the TCP port is still in use.
|
||||||
|
|
||||||
Leaking file descriptors is also a well known security vulnerability:
|
|
||||||
read
|
|
||||||
`FIO42-C. Ensure files are properly closed when they are no longer
|
|
||||||
needed
|
|
||||||
<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_
|
|
||||||
of the CERT.
|
|
||||||
|
|
||||||
An untrusted child process can read sensitive data like passwords and
|
|
||||||
take control of the parent process though leaked file descriptors. It is
|
|
||||||
for example a way to escape from a chroot. With a leaked listening
|
|
||||||
socket, a child process can accept new connections to read sensitive
|
|
||||||
data.
|
|
||||||
|
|
||||||
Example of issues in open source projects:
|
Example of issues in open source projects:
|
||||||
|
|
||||||
* `Mozilla (Firefox) <https://bugzilla.mozilla.org/show_bug.cgi?id=147659>`_:
|
* `Mozilla (Firefox) <https://bugzilla.mozilla.org/show_bug.cgi?id=147659>`_:
|
||||||
|
|
@ -178,6 +165,39 @@ Example of issues in open source projects:
|
||||||
open since 2012-07
|
open since 2012-07
|
||||||
|
|
||||||
|
|
||||||
|
Security Vulnerability
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
Leaking file descriptors is also a well known security vulnerability:
|
||||||
|
read
|
||||||
|
`FIO42-C. Ensure files are properly closed when they are no longer
|
||||||
|
needed
|
||||||
|
<https://www.securecoding.cert.org/confluence/display/seccode/FIO42-C.+Ensure+files+are+properly+closed+when+they+are+no+longer+needed>`_
|
||||||
|
of the CERT.
|
||||||
|
|
||||||
|
An untrusted child process can read sensitive data like passwords and
|
||||||
|
take control of the parent process though leaked file descriptors. It is
|
||||||
|
for example a way to escape from a chroot. With a leaked listening
|
||||||
|
socket, a child process can accept new connections to read sensitive
|
||||||
|
data.
|
||||||
|
|
||||||
|
Example of vulnerabilities:
|
||||||
|
|
||||||
|
* `Hijacking Apache https by mod_php
|
||||||
|
<http://www.securityfocus.com/archive/1/348368>`_ (2003)
|
||||||
|
|
||||||
|
* Apache: `Apr should set FD_CLOEXEC if APR_FOPEN_NOCLEANUP is not set
|
||||||
|
<https://issues.apache.org/bugzilla/show_bug.cgi?id=46425>`_:
|
||||||
|
fixed in 2009
|
||||||
|
* PHP: `system() (and similar) don't cleanup opened handles of Apache
|
||||||
|
<https://bugs.php.net/bug.php?id=38915>`_: open since 2006
|
||||||
|
* `CWE-403: Exposure of File Descriptor to Unintended Control Sphere
|
||||||
|
<http://cwe.mitre.org/data/definitions/403.html>`_ (2008)
|
||||||
|
* `OpenSSH Security Advisory: portable-keysign-rand-helper.adv
|
||||||
|
<http://www.openssh.com/txt/portable-keysign-rand-helper.adv>`_
|
||||||
|
(2011)
|
||||||
|
|
||||||
|
|
||||||
Issues fixed in the subprocess module
|
Issues fixed in the subprocess module
|
||||||
-------------------------------------
|
-------------------------------------
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue