Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/tmp/pip-build not secure #725

Closed
guettli opened this issue Nov 15, 2012 · 6 comments
Closed

/tmp/pip-build not secure #725

guettli opened this issue Nov 15, 2012 · 6 comments
Labels
auto-locked Outdated issues that have been locked by automation

Comments

@guettli
Copy link

guettli commented Nov 15, 2012

Well known temporary file names like /tmp/pip-build are insecure.

eviluser@host:~$ ln -s /home/otheruser/some-directory /tmp/pip-build

otheruser@host:~$ pip install ....

--> pip writes in /home/otheruser/some-directory. The user "otheruser" does not know it.

I tried it with pip 1.2.1 and content was written to /home/otheruser/some-directory.
@pnasrat
Copy link
Contributor

pnasrat commented Nov 15, 2012

Can you check develop branch of pip I believe pull #516 would have fixed this.

@guettli
Copy link
Author

guettli commented Nov 15, 2012

/tmp/pip-build is still used and can be abused by the way I posted above.

I tried it just some minutes ago with current git branch develop.

You can see it here, too:

strace -f pip install --user foo 2> tmp/strace-pip.log

@guettli guettli mentioned this issue Nov 20, 2012
Closed
d1b added a commit to d1b/pip that referenced this issue Nov 23, 2012
@d1b
Fix pypa#725 and pypa#516.
b326ee6 
Signed-off-by: David <db@d1b.org>
@d1b
Copy link
Contributor

d1b commented Nov 23, 2012

@guettli I believe #734 fixes this issue.

@qwcode
Copy link
Contributor

qwcode commented Nov 24, 2012

to be explicit, for anyone coming to this, the main reason for a consistent build directory name, is for the pip install --no-install/--no-download workflow which assumes a consistent directory to work off of between seperate executions of pip. pull #734 seems like a good approach in that it tries to be secure and use a consistent name.

@d1b d1b mentioned this issue Dec 6, 2012
Merged
d1b added a commit to d1b/pip that referenced this issue Jan 25, 2013
@d1b
Fix pypa#725 and pypa#729.
eeaa64d 
Signed-off-by: David <db@d1b.org>
@qwcode qwcode closed this as completed in 61cc16d Jan 26, 2013
@qwcode
Copy link
Contributor

qwcode commented Jan 26, 2013

addressed in pull #780

@pyup-vuln-bot pyup-vuln-bot mentioned this issue Oct 14, 2016
Merged
@pradyunsg pradyunsg removed !release blocker Hold a release until this is resolved labels Feb 8, 2019
@lock
Copy link

lock bot commented May 29, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label May 29, 2019
@lock lock bot locked as resolved and limited conversation to collaborators May 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pnasrat @d1b @guettli @qwcode @pradyunsg