Python has become one of the most popular programming languages in the world. The reason is of course Python’s concise and easy-to-use script syntax. Just put a program into a .py file and it can be run quickly.
And the Python language is easy to use modules. For example, if you write a module my_lib.py, you only need to add a line import my_lib to the program that calls this module.
The advantage of this design is that beginners can execute commands very conveniently. But for attackers, this is tantamount to opening a backdoor for malicious programs.
Especially after some beginners download Python software packages and codes from the Internet to the local ~/Downloads folder, they directly run python commands in this path. Doing so will bring great hidden dangers to the computer.
Stop trying to be convenient
Why is this dangerous? First, we need to understand the three conditions that Python programs need to meet to run safely:
Every entry on the system path is in a safe location;
The directory where the “main script” is located is always in the system path;
If the python command uses the -c and -m options, the directory where the program is called must also be safe.
If you are running a correctly installed Python, the only location other than the Python installation directory and virtualenv that will be automatically added to the system path is the installation directory of the current main program.
This is the source of security risks. Let’s use an example to tell you why.
If you install pip in the /usr/bin folder and run the pip command. Since /usr/bin is the system path, it is a very safe place.
However, some people don’t like to use pip directly, preferring to call /path/to/python -m pip.
The advantage of this is that it can avoid the complexity of setting the environment variable $PATH, and for Windows users, it can also avoid dealing with installing various exe scripts and documents.
So the question is, if there is a file called pip.py in your download file, then you will replace the pip that comes with the system and take over your program.
The download folder is not safe
For example, you downloaded a Python wheel file directly from the Internet instead of PyPI. You naturally enter the following command to install it:
~$ cd Downloads ~/Downloads$ python -m pip install ./totally-legit-package.whl
This seems like a very reasonable thing to do. But what you don’t know is that it’s very possible to access a site with XSS JavaScript and add malware-laden pip.py to the download folder.
The following is a demonstration example of malicious attack software:
~$ mkdir attacker_dir
~$ cd attacker_dir
~/attacker_dir$ echo 'print("lol ur pwnt")' > pip.py
~/attacker_dir$ python -m pip install requests
lol ur pwnt
see it? This code generates a pip.py and takes over the program instead of the system’s pip.
Setting $PYTHONPATH is also unsafe
As mentioned before, Python will only call the system path, virtualenv virtual environment path and the current main program path.
You may say, then I set the $PYTHONPATH environment variable manually and don’t put the current directory in the environment variable. Wouldn’t it be safe?
No! Unfortunately, you may encounter another type of attack. Let’s simulate a “fragile” Python program:
# tool.py
try:
import optional_extra
except ImportError:
print("extra not found, that's fine")
Then create 2 directories: install_dir and attacker_dir. Place the above program in install_dir. Then cd attacker_dir places the complex malware here and changes its name to the optional_extra module called by tool.py:
#optional_extra.py
print("lol ur pwnt")
Let’s run it:
~/attacker_dir$ python ../install_dir/tool.py extra not found, that's fine
So far so good, no issues.
But this idiom has a serious flaw: the first time it is called, if $PYTHONPATH was previously empty or unset, it will contain an empty string, which is parsed to the current directory.
Let’s try it again:
~/attacker_dir$ export PYTHONPATH="/a/perfectly/safe/place:$PYTHONPATH"; ~/attacker_dir$ python ../install_dir/tool.py lol ur pwnt
see it? A malicious script takes over the program.
For security reasons, you might think that clearing $PYTHONPATH should be fine, right? Naive! Still not safe!
~/attacker_dir$ export PYTHONPATH=""; ~/attacker_dir$ python ../install_dir/tool.py lol ur pwnt
What happens here is that $PYTHONPATH becomes empty, which is different from unset.
Because in Python, os.environ.get(“PYTHONPATH”) == “” and os.environ.get(“PYTHONPATH”) == None are different.
If you want to ensure that $PYTHONPATH has been cleared from the shell, you need to use the unset command to process it again, and then it will be normal.
set up
P
Y
T
H
O
N
P
A
T
H
used to be settings
P
y
t
h
o
n
The most common method for developing environments. But you’d better not use it again in the future,
v
i
r
t
u
a
l
e
n
v
Can better meet developer needs. If you have set up one in the past
PYTHONPATH used to be the most common way to set up a Python development environment. But you’d better not use it in the future, virtualenv can better meet developer needs. If you have set up one in the past
PYTHONPATH used to be the most common way to set up a Python development environment. But you’d better not use it in the future, virtualenv can better meet developer needs. If you set a PYTHONPATH in the past, now is a good time to delete it.
If you really need to use PYTHONPATH in the shell, please use the following method:
export PYTHONPATH="${PYTHONPATH: + ${PYTHONPATH}:}new_entry_1"
export PYTHONPATH="${PYTHONPATH: + ${PYTHONPATH}:}new_entry_2"
In bash and zsh, the value of the $PYTHONPATH variable will become:
$ echo "${PYTHONPATH}"
new_entry_1:new_entry_2
This ensures that there are no spaces and extra colons in the environment variable $PYTHONPATH.
If you are still using $PYTHONPATH, make sure to always use absolute paths!
In addition, running Jupyter Notebook directly in the download folder is also dangerous. For example, jupyter notebook ~/Downloads/anything.ipynb may also introduce malicious programs into the code.
Preventive measures
Finally, summarize the key points.
If you want to use tools written in Python in the download folder ~/Downloads, please develop a good habit and use the path where pip is located /path/to/venv/bin/pip instead of typing /path/to/venv/bin/python -m pip.
Avoid ~/Downloads as the current working directory, and move any software you want to use to a more appropriate location before launching it.
It’s important to understand where Python gets its execution code. Giving someone else the ability to execute arbitrary Python commands is equivalent to giving them complete control over your computer!
I hope the above text will be helpful to you who are new to Python.
Finally
I have prepared detailed Python information here. In addition to providing you with a clear learning path, I have selected the most practical learning resources and a huge library of examples. After a short period of study, you can master the crawler skill well and obtain the data you want.
01 is specially designed for 0 basic settings, and even beginners can learn it easily
We have interspersed all the knowledge points of Python into the comics.
In the Python mini-class, you can learn knowledge points through comics, and difficult professional knowledge becomes interesting and easy to understand in an instant.
Just like the protagonist of the comic, you travel through the plot, pass the levels, and complete the learning of knowledge unknowingly.
02 No need to download the installation package yourself, detailed installation tutorials are provided
03 Plan detailed learning routes and provide learning videos
04 Provide practical information to better consolidate knowledge
05 Provide interview information and side job information to facilitate better employment
This complete version of Python learning materials has been uploaded to CSDN. If you need it, you can scan the official QR code of csdn below or click on the WeChat card at the bottom of the homepage and article to get the method. [Guaranteed 100% free]
