Modify

Ticket #177 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

Secirity risk: easy_install reads a wiki page to get tarball path

Reported by: upadhyay@… Owned by: xi
Priority: highest Component: pyyaml
Severity: blocker Keywords:
Cc:

Description

This is a *huge* security risk. Anyone can modify the wiki page: http://pyyaml.org/wiki/PyYAML, adding a malicious tarball location, that will be downloaded by easy_install and run as root on everyone who tries to install PyYAML.

At the very least please make the wiki page editable by only few people. Or make the pypi download location point to something more "reliable".

Attachments

Change History

comment:1 Changed 2 years ago by lericson

Register and update the wiki so it points to http://pyyaml.org/XXX-SECURITY-RISK-FIXME/see-ticket-177/PyYAML-3.09.tar.gz

comment:2 Changed 2 years ago by xi

  • Status changed from new to closed
  • Resolution set to fixed

Fixed by making the page read-only.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

Attachments
 
Note: See TracTickets for help on using tickets.