WARNING: malicious code
Reindl Harald
h.reindl at thelounge.net
Sun Jul 6 11:59:51 UTC 2014
Am 06.07.2014 13:51, schrieb Sandro Mani:
> On 06.07.2014 13:48, Reindl Harald wrote:
>>
>> Am 06.07.2014 13:41, schrieb Sandro Mani:
>>> On 06.07.2014 13:38, drago01 wrote:
>>>> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas <opensource at till.name> wrote:
>>>>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>>>>>
>>>>>> * A script automating most of the process of validating and processing the
>>>>>> request can be found at
>>>>>>
>>>>>> https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>>>>> Do not run this script, because it contains malicious code that
>>>>> might remove all files from your system! The code can be found in lines
>>>>> 301-302:
>>>>>
>>>>> | 301 os.chdir("/")
>>>>> | 302 shutil.rmtree(os.getcwd())
>>>> Ouch ... can we ban this guy from Fedora?
>>> This is a bit dramatic. I really sincerely apologize for this and please
>>> realize that I wrote this with the best
>>> intentions. I've fixed the issue...
>> how can a "rm -rf currentdir" happen by accident?
>> and that combined with make / to the current dir?
>>
>> line 302 is a no-go in general
>> line 301 before that smells like intention
>>
>> i can't imagine that two lines together happen by mistake
>>
> It was a line ordering issue.
> The cwd before that call was the temporary directory.
> Please trust me, I really feel bad about this, and will never again push code
> which was written late at night.
> Again, I really apologize
accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering issue
it's **** from a developers perspective because it leads *always* to unpredictable
behavior if the "chdir" fails for whatever reason, be it a typo, wrong permissions
somewhere or SELinux comes in place
that's horrible dangerous in any context
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140706/2e87f90a/attachment.sig>
More information about the devel
mailing list