Enable stack cookies for C speedups #73
Comments
|
If they cannot be enabled with a compiler flag, |
ThiefMaster
changed the title
Apparently these compiler switches enable them. But I guess they'd need to be specified in a compiler-agnostic way since the speedups may be compiled e.g. with microsoft's compiler if someone is on windows. |
|
Can't you use just |
|
I'm not convinced this is a good idea. I looked at a few other projects and none of them had these flags set, including SQLAlchemy and Cryptography, two widely used libraries with C components. Is MarkupSafe the only package that raised this warning? Re: portability, will this affect wheels I build and release to PyPI? Does setting that env var and telling pip to build from source accomplish what you need? Without understanding this more, I'm not planning on implementing it. |
|
Closing due to lack of information. If this is important to you, I'll need help to understand and implement it correctly. |
Hi,
I was running a vulnerability scan for one of the EC2 Instance in AWS and during the scan there was one reported against markupsafe. The detail is as below
Rules package
Runtime Behavior Analysis-1.0
Finding
The following executable files on instance do not support stack cookies: /lib/python2.7/site-packages/markupsafe/_speedups.so.
Severity Medium
Description
This rule detects the presence of third-party software that is compiled without support for stack cookies. Stack cookies increase system security by defending against stack-based buffer overflow and other memory corruption attacks.
Recommendation
It is recommended that you uninstall this software from your assessment target if you are not using it, or contact the vendor to get an updated version of this software with stack cookies enabled.
FYI It s a Django 1.10 stack using Jinja2 which has markupsafe as required package. The version installed of MarkupSafe is 0.23.
The text was updated successfully, but these errors were encountered: