Headline
CVE-2023-24816: ipython/terminal.py at 3f0bf05f072a91b2a3042d23ce250e5e906183fd · ipython/ipython
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function IPython.utils.terminal.set_term_title be called on Windows in a Python environment where ctypes is not available. The dependency on ctypes in IPython.utils._process_win32 prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool set_term_title could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the IPython.utils.terminal.set_term_title function are done with trusted or filtered input.
# encoding: utf-8 “"” Utilities for working with terminals. Authors: * Brian E. Granger * Fernando Perez * Alexander Belchenko (e-mail: bialix AT ukr.net) “"” # Copyright © IPython Development Team. # Distributed under the terms of the Modified BSD License. import os import sys import warnings from shutil import get_terminal_size as _get_terminal_size # This variable is part of the expected API of the module: ignore_termtitle = True if os.name == 'posix’: def _term_clear(): os.system(‘clear’) elif sys.platform == 'win32’: def _term_clear(): os.system(‘cls’) else: def _term_clear(): pass def toggle_set_term_title(val): """Control whether set_term_title is active or not. set_term_title() allows writing to the console titlebar. In embedded widgets this can cause problems, so this call can be used to toggle it on or off as needed. The default state of the module is for the function to be disabled. Parameters ---------- val : bool If True, set_term_title() actually writes to the terminal (using the appropriate platform-specific module). If False, it is a no-op. “"” global ignore_termtitle ignore_termtitle = not(val) def _set_term_title(*args,**kw): “""Dummy no-op.""” pass def _restore_term_title(): pass _xterm_term_title_saved = False def _set_term_title_xterm(title): “"” Change virtual terminal title in xterm-workalikes “"” global _xterm_term_title_saved # Only save the title the first time we set, otherwise restore will only # go back one title (probably undoing a %cd title change). if not _xterm_term_title_saved: # save the current title to the xterm “stack” sys.stdout.write(“\033[22;0t”) _xterm_term_title_saved = True sys.stdout.write(‘\033]0;%s\007’ % title) def _restore_term_title_xterm(): # Make sure the restore has at least one accompanying set. global _xterm_term_title_saved assert _xterm_term_title_saved sys.stdout.write(‘\033[23;0t’) _xterm_term_title_saved = False if os.name == 'posix’: TERM = os.environ.get(‘TERM’,’’) if TERM.startswith(‘xterm’): _set_term_title = _set_term_title_xterm _restore_term_title = _restore_term_title_xterm elif sys.platform == 'win32’: try: import ctypes SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW SetConsoleTitleW.argtypes = [ctypes.c_wchar_p] def _set_term_title(title): “""Set terminal title using ctypes to access the Win32 APIs.""” SetConsoleTitleW(title) except ImportError: def _set_term_title(title): “""Set terminal title using the ‘title’ command.""” global ignore_termtitle try: # Cannot be on network share when issuing system commands curr = os.getcwd() os.chdir(“C:”) ret = os.system("title " + title) finally: os.chdir(curr) if ret: # non-zero return code signals error, don’t try again ignore_termtitle = True def set_term_title(title): “""Set terminal title using the necessary platform-dependent calls.""” if ignore_termtitle: return _set_term_title(title) def restore_term_title(): “""Restore, if possible, terminal title to the original state""” if ignore_termtitle: return _restore_term_title() def freeze_term_title(): warnings.warn("This function is deprecated, use toggle_set_term_title()") global ignore_termtitle ignore_termtitle = True def get_terminal_size(defaultx=80, defaulty=25): return _get_terminal_size((defaultx, defaulty))
Related news
IPython provides an interactive Python shell and Jupyter kernel to use Python interactively. Versions prior to 8.10.0 are vulnerable to command injection in the `set_term_title` [function](https://github.com/ipython/ipython/blob/3f0bf05f072a91b2a3042d23ce250e5e906183fd/IPython/utils/terminal.py#L103-L117) under specific conditions. This has been patched in version 8.10.0. ### Impact Users are only vulnerable when calling this function in Windows in a Python environment where [ctypes](https://docs.python.org/3/library/ctypes.html) is not available. The dependency on ctypes in `IPython.utils._process_win32` prevents the vulnerable code from ever being reached (making it effectively dead code). However, as a library that could be used by another tool, `set_term_title` could introduce a vulnerability for dependencies. Currently `set_term_title` is only called with (semi-)trusted input that contain the current working directory of the current IPython session. If an attacker can control di...