WARNING: malicious code

Sandro Mani manisandro at gmail.com
Sun Jul 6 12:03:37 UTC 2014 

On 06.07.2014 13:59, Reindl Harald wrote:
> Am 06.07.2014 13:51, schrieb Sandro Mani:
>> On 06.07.2014 13:48, Reindl Harald wrote:
>>> Am 06.07.2014 13:41, schrieb Sandro Mani:
>>>> On 06.07.2014 13:38, drago01 wrote:
>>>>> On Sun, Jul 6, 2014 at 1:04 PM, Till Maas <opensource at till.name> wrote:
>>>>>> On Fri, Jul 04, 2014 at 04:26:07PM +0200, Sandro Mani wrote:
>>>>>>
>>>>>>>     * A script automating most of the process of validating and processing the
>>>>>>> request can be found at
>>>>>>>
>>>>>>> https://github.com/manisandro/fedora-process-simple-patch/blob/master/process-simple-patch.py
>>>>>> Do not run this script, because it contains malicious code that
>>>>>> might remove all files from your system! The code can be found in lines
>>>>>> 301-302:
>>>>>>
>>>>>> | 301   os.chdir("/")
>>>>>> | 302   shutil.rmtree(os.getcwd())
>>>>> Ouch ... can we ban this guy from Fedora?
>>>> This is a bit dramatic. I really sincerely apologize for this and please
>>>> realize that I wrote this with the best
>>>> intentions. I've fixed the issue...
>>> how can a "rm -rf currentdir" happen by accident?
>>> and that combined with make / to the current dir?
>>>
>>> line 302 is a no-go in general
>>> line 301 before that smells like intention
>>>
>>> i can't imagine that two lines together happen by mistake
>>>
>> It was a line ordering issue.
>> The cwd before that call was the temporary directory.
>> Please trust me, I really feel bad about this, and will never again push code
>> which  was written late at night.
>> Again, I really apologize
> accepted - but "shutil.rmtree(os.getcwd())" is in general not a line ordering issue
> it's **** from a developers perspective because it leads *always* to unpredictable
> behavior if the "chdir" fails for whatever reason, be it a typo, wrong permissions
> somewhere or SELinux comes in place
>
> that's horrible dangerous in any context
>
Fully accepted, and trust me, I fully realize how utterly stupid the 
code was. I probably was just over-eager to get the script done and go 
to bed. I just really hope that I did not cause any loss of data to anyone.

More information about the devel mailing list