Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to run the python command correctly". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Python has become one of the most popular programming languages in the world. The reason, of course, is Python's concise and easy-to-use script syntax, which can run quickly by simply putting a program in a .py file.

And the Python language is easy to use modules. For example, if you write a module my_lib.py, you only need to add a line of import my_lib to the program that calls the module.

The advantage of this design is that beginners can easily execute commands. But for attackers, this is tantamount to opening the back door for malicious programs.

In particular, after some beginners download the Python software packages and codes on the Internet to the local ~ / Downloads folder, they will directly run the python command under this path, which will bring great hidden trouble to the computer.

Stop trying to be convenient.

Why is it dangerous to do so? First of all, we need to understand three conditions that need to be met for the safe operation of Python programs:

Every entry on the system path is in a secure location

The directory where the main script is located is always in the system path

If the python command uses the-c and-m options, the directory of the calling program must also be secure.

If you are running a properly installed Python, the only location other than the Python installation directory and virtualenv that will be automatically added to the system path is the current installation directory of the main program.

This is the source of the security risk, and here is an example to show you why.

If you install pip in the / usr/bin folder, run the pip command. Since / usr/bin is the system path, this is a very safe place.

However, some people do not like to use pip directly, but prefer to call / path/to/python-m pip.

The advantage of this is that you can avoid the complexity of setting the environment variable $PATH, and for Windows users, you can avoid dealing with installing various exe scripts and documents.

So the problem is, if you have a file called pip.py in your download file, you will take over your program instead of the pip that comes with the system.

It is not safe to download a folder

For example, instead of downloading a Python wheel file from PyPI, you download it directly from the Internet. You naturally type the following command to install it:

~ $cd Downloads ~ / Downloads$ python-m pip install. / totally-legit-package.whl

This seems to be a very reasonable thing. But what you don't know is that doing so is likely to visit a site with XSS JavaScript and put the pip.py with malware into the download folder.

The following is a demonstration of malicious attack software:

~ $mkdir attacker_dir~ $cd attacker_dir~/attacker_dir$ echo 'print ("lol ur pwnt")' > pip.py ~ / attacker_dir$ python-m pip install requests lol ur pwnt

Did you see that? This code generates a pip.py and takes over the program instead of the system's pip.

It is not safe to set $PYTHONPATH.

As mentioned earlier, Python only calls the system path, the virtualenv virtual environment path, and the current main program path

You might say, isn't it safe for me to manually set the $PYTHONPATH environment variable and not put the current directory in the environment variable?

No! Unfortunately, you may encounter another form of attack. Let's simulate a "fragile" Python program:

# tool.py try:import optional_extra except ImportError:print ("extra not found, that's fine")

Then create two directories: install_dir and attacker_dir. Put the above program in install_dir. Then cd attacker_dir puts the complex malware here and changes its name to the optional_extra module called by tool.py:

# optional_extra.py print ("lol ur pwnt")

Let's run it:

~ / attacker_dir$ python.. / install_dir/tool.py extra not found, that's fine

It's good to be here, and there's no problem.

But this idiom has a serious flaw: the first time it is called, if $PYTHONPATH was previously empty or not set, it contains an empty string that is parsed to the current directory.

Let's try again:

~ / attacker_dir$ export PYTHONPATH= "/ a/perfectly/safe/place:$PYTHONPATH"; ~ / attacker_dir$ python.. / install_dir/tool.py lol ur pwnt

Did you see that? The malicious script took over the program.

To be on the safe side, you might think it's okay to empty $PYTHONPATH? Naive! It's still not safe!

~ / attacker_dir$ export PYTHONPATH= ""; ~ / attacker_dir$ python.. / install_dir/tool.pylol ur pwnt

What happens here is that $PYTHONPATH becomes empty, which is not the same as unset.

Because in Python, os.environ.get ("PYTHONPATH") = = "" and os.environ.get ("PYTHONPATH") = = None are different.

If you want to make sure that $PYTHONPATH has been cleared from the shell, you need to use the unset command to process it once, and then it will be fine.

Setting $PYTHONPATH used to be the most common way to set up the Python development environment. But you'd better not use it anymore. Virtualenv can better meet the needs of developers. If you set up a $PYTHONPATH in the past, now is a good time to delete it.

If you do need to use PYTHONPATH in shell, use the following methods:

Export PYTHONPATH= "${PYTHONPATH:+$ {PYTHONPATH}:} new_entry_1" export PYTHONPATH= "${PYTHONPATH:+$ {PYTHONPATH}:} new_entry_2"

In bash and zsh, the value of the $PYTHONPATH variable becomes:

$echo "${PYTHONPATH}" new_entry_1:new_entry_2

This ensures that there are no spaces and extra colons in the environment variable $PYTHONPATH.

If you are still using $PYTHONPATH, be sure to always use the absolute path!

In addition, it is equally dangerous to run Jupyter Notebook directly in the download folder, for example, jupyter notebook ~ / Downloads/anything.ipynb may also introduce malicious programs into the code.

Precautionary measures

Finally, summarize the main points.

If you want to use tools written by Python in the download folder ~ / Downloads, get into the habit of using the path / path/to/venv/bin/pip where pip is located instead of typing / path/to/venv/bin/python-m pip.

Avoid using ~ / Downloads as the current working directory and move any software to be used before startup to a more appropriate location.

It is important to understand where Python gets the execution code. Giving someone else the ability to execute arbitrary Python commands is the same as giving him complete control over your computer!

This is the end of how to run the python command correctly. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.