Python sys.path security risk

[vbraun]

test_executable runs various executables in /tmp. When running a script, Python puts the directory containing that script in sys.path. Therefore, it is trivial for any user to have code executed by the user running the doctests. For example:

[eviluser@hostname ~]$ echo 'print "EVIL!!"' > /tmp/socket.py
...
[vbraun@hostname ~]$ sage -t -force_lib devel/sage/sage/tests/cmdline.py
sage -t -force_lib "devel/sage/sage/tests/cmdline.py"       
**********************************************************************
File "/home/vbraun/opt/sage-5.4.beta1/devel/sage/sage/tests/cmdline.py", line 248:
    sage: print out
Expected:
    1
Got:
    EVIL!!

test_executable should securely create a temp directory and run the executable in there.

Apply:

1. attachment: 13579_sagelib.patch to the Sage library.
2. attachment: 13579_scripts.patch to Sage scripts (local/bin).
3. new spkg: http://boxen.math.washington.edu/home/jdemeyer/spkg/python-2.7.3.p1.spkg (patch added: attachment: sys_path_security.patch)

Reported upstream: http://bugs.python.org/issue16202

See also: ipython/ipython#7044

Upstream: Reported upstream. No feedback yet.

CC: @jdemeyer

Component: doctest coverage

Author: Jeroen Demeyer, Volker Braun

Reviewer: Volker Braun, Jeroen Demeyer, David Roe

Merged: sage-5.4.rc2

Issue created by migration from https://trac.sagemath.org/ticket/13579

[jdemeyer]

Description changed:

--- 
+++ 
@@ -1,4 +1,4 @@
-`test_executable` runs various executables in `/tmp`. Since Python has `.` in `sys.path`, it is trivial for any user to have code executed by the user running the doctests. For example:
+`test_executable` runs various executables in `/tmp`. When running a script, Python puts the directory containing that script in `sys.path`. Therefore, it is trivial for any user to have code executed by the user running the doctests. For example:
 
 ```
 [eviluser@hostname ~]$ echo 'print "EVIL!!"' > /tmp/socket.py

[vbraun]

comment:3

Attachment: 13579_secure_tmp.patch.gz

Oops, looks like we did it at the same time.

[vbraun]

comment:4

I'm fine with your patch. All doctests pass with both patches applied.

[vbraun]

Reviewer: Volker Braun, Jeroen Demeyer

[vbraun]

Description changed:

--- 
+++ 
@@ -14,3 +14,5 @@
     EVIL!!
 ```
 `test_executable` should securely create a temp directory and run the executable in there.
+
+Attach [attachment: 13579_secure_tmp.patch](https://github.com/sagemath/sage-prod/files/10656430/13579_secure_tmp.patch.gz), [attachment: trac_13579_fix_test_executable.patch](https://github.com/sagemath/sage-prod/files/10656431/trac_13579_fix_test_executable.patch.gz) to the Sage library.

[vbraun]

Author: Jeroen Demeyer, Volker Braun

[vbraun]

Description changed:

--- 
+++ 
@@ -15,4 +15,4 @@
 ```
 `test_executable` should securely create a temp directory and run the executable in there.
 
-Attach [attachment: 13579_secure_tmp.patch](https://github.com/sagemath/sage-prod/files/10656430/13579_secure_tmp.patch.gz), [attachment: trac_13579_fix_test_executable.patch](https://github.com/sagemath/sage-prod/files/10656431/trac_13579_fix_test_executable.patch.gz) to the Sage library.
+Apply [attachment: 13579_secure_tmp.patch](https://github.com/sagemath/sage-prod/files/10656430/13579_secure_tmp.patch.gz), [attachment: trac_13579_fix_test_executable.patch](https://github.com/sagemath/sage-prod/files/10656431/trac_13579_fix_test_executable.patch.gz) to the Sage library.