Importing non-standard Python Modules
15 views
Skip to first unread message
Sam Hentschel
May 16, 2017, 3:32:51 PM5/16/17
to qubes-devel
Qubes Devs,
I'm working on the qvm-convert-pdf, but I feel this relates to a bunch of other work. I'm trying to fix the TODO in the qvm_convert_pdf_nautilus.py file and one of the ways I found (that was most efficient) was using the python-magic module. However, I have to install it with pip. Is this still acceptable (or will it have to be checked at review time?) or should I try and use file through an os command?
--
Respectfully,
Sam Hentschel
FD6A 2998 5301 B440 D26B
7040 69D1 CE58 6FA5 BB5A
I'm working on the qvm-convert-pdf, but I feel this relates to a bunch of other work. I'm trying to fix the TODO in the qvm_convert_pdf_nautilus.py file and one of the ways I found (that was most efficient) was using the python-magic module. However, I have to install it with pip. Is this still acceptable (or will it have to be checked at review time?) or should I try and use file through an os command?
--
Respectfully,
Sam Hentschel
FD6A 2998 5301 B440 D26B
7040 69D1 CE58 6FA5 BB5A
Marek Marczykowski-Górecki
May 16, 2017, 3:47:00 PM5/16/17
to Sam Hentschel, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, May 16, 2017 at 12:32:50PM -0700, Sam Hentschel wrote:
> Qubes Devs,
>
> I'm working on the qvm-convert-pdf, but I feel this relates to a bunch of
> other work. I'm trying to fix the TODO in the qvm_convert_pdf_nautilus.py
> file and one of the ways I found (that was most efficient) was using the
> python-magic module. However, I have to install it with pip. Is this
> still acceptable (or will it have to be checked at review time?) or should
> I try and use file through an os command?
No, installation of python modules with pip is not acceptable. But with
rpm is. And there is python-magic module in Fedora.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZG1cuAAoJENuP0xzK19csJ34IAI9F4w7nLl0UonIKrumvzkZY
dwUfR5kFOP4jW8sPFA2/tn4TQtAH2GLuMluWa/t+tNXpEy21YrXqdXCsq3cYNj/m
6NWm21kPggjVpk6SCfsdWQfWaNjHIAe5xVCjYdMeAu9gaEWkXlxiGJADUbWJE9fY
gosb+1NUkY1LxAgQPcTifbcGO1mVZYbeJ1QmsEtLPWl83IPjP3IM5VOWT3PL5J5v
MhzwT7ktZ+9IGJ+vD6K1G6j5isqC7ZNbB3WHtX6nzW9OSYeiyXRE01uC+0MiAfg+
lhaXluD9EIJawPMMaa3Ir2mN9iz+MFhA9bz2Ns5Sf6lVZogdxZ5RAA7cKw24Naw=
=Xbl/
-----END PGP SIGNATURE-----
Hash: SHA256
On Tue, May 16, 2017 at 12:32:50PM -0700, Sam Hentschel wrote:
> Qubes Devs,
>
> I'm working on the qvm-convert-pdf, but I feel this relates to a bunch of
> other work. I'm trying to fix the TODO in the qvm_convert_pdf_nautilus.py
> file and one of the ways I found (that was most efficient) was using the
> python-magic module. However, I have to install it with pip. Is this
> still acceptable (or will it have to be checked at review time?) or should
> I try and use file through an os command?
rpm is. And there is python-magic module in Fedora.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZG1cuAAoJENuP0xzK19csJ34IAI9F4w7nLl0UonIKrumvzkZY
dwUfR5kFOP4jW8sPFA2/tn4TQtAH2GLuMluWa/t+tNXpEy21YrXqdXCsq3cYNj/m
6NWm21kPggjVpk6SCfsdWQfWaNjHIAe5xVCjYdMeAu9gaEWkXlxiGJADUbWJE9fY
gosb+1NUkY1LxAgQPcTifbcGO1mVZYbeJ1QmsEtLPWl83IPjP3IM5VOWT3PL5J5v
MhzwT7ktZ+9IGJ+vD6K1G6j5isqC7ZNbB3WHtX6nzW9OSYeiyXRE01uC+0MiAfg+
lhaXluD9EIJawPMMaa3Ir2mN9iz+MFhA9bz2Ns5Sf6lVZogdxZ5RAA7cKw24Naw=
=Xbl/
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
May 21, 2017, 2:52:15 PM5/21/17
to Sam Hentschel, qubes-devel
On Tue, May 16, 2017 at 3:32 PM, Sam Hentschel <hents...@gmail.com> wrote:
> Qubes Devs,
>
> I'm working on the qvm-convert-pdf, but I feel this relates to a bunch of
> other work. I'm trying to fix the TODO in the qvm_convert_pdf_nautilus.py
> file and one of the ways I found (that was most efficient) was using the
> python-magic module. However, I have to install it with pip. Is this still
> acceptable (or will it have to be checked at review time?) or should I try
> and use file through an os command?
Hi Sam,
> Qubes Devs,
>
> I'm working on the qvm-convert-pdf, but I feel this relates to a bunch of
> other work. I'm trying to fix the TODO in the qvm_convert_pdf_nautilus.py
> file and one of the ways I found (that was most efficient) was using the
> python-magic module. However, I have to install it with pip. Is this still
> acceptable (or will it have to be checked at review time?) or should I try
> and use file through an os command?
First of all, thanks for contributing! :)
However, if my assumptions based on your message are correct, your
proposed changes are somewhat concerning. The TODO in question is "#
TODO: Only allow pdf files" [1], and python-magic is a wrapper around
libmagic. libmagic is a "throw all the untrusted input at all the
parsers" library. Furthermore, the Nautilus code in question is run in
the VM which contains the PDF, rather than the one which does the
conversion. This means that if there is a vulnerability in any of the
complex parsing of the file, and it is exploitable, the attacker would
have access to all the other files in the VM. This is really not what
a user trying to sanitize an untrusted pdf expects or wants.
libmagic is not perfect (CVEs 2012-1571, 2013-7345, 2014-1943,
2014-2270), and in fact trying to sandbox it [2] after the last of
these vulns was IIRC one of the last straws (along with strings/libbfd
and tcpdump) which lead to the invention of the pledge(2) sandboxing
interface [3] in OpenBSD.
If you really want to do complex parsing of untrusted input, that's
fine, but do it in the DispVM created for that purpose, not the
originating VM. Personally, I'd just call this (specifically detecting
if something is truly a PDF before trying to convert it) WONTFIX and
move on. At best we gain a slightly more informative error message if
the user happens to have a not-pdf file named *.pdf, at worst we gain
arbitrary code execution in the originating VM when trying to sanitize
untrusted PDFs.
I'm just pointing out my thoughts on this one specific aspect. Don't
let this discourage your other work on the PDF converter!
Cheers,
Jean-Philippe
[1]: https://github.com/QubesOS/qubes-app-linux-pdf-converter/blob/e18a416dd60fb45f7b2ab34c73614f59e5c412d1/qvm_convert_pdf_nautilus.py#L21
[2]: https://news.ycombinator.com/item?id=9439778
[3]: http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2
Reply all
Reply to author
Forward
0 new messages