This repository was archived by the owner on Jul 16, 2020. It is now read-only.
forked from pypa/pip
-
Notifications
You must be signed in to change notification settings - Fork 2
Slow retrieval attacks for pip without TUF
Trishank Karthik Kuppusamy edited this page Sep 21, 2013
·
5 revisions
In a slow retrieval attack, we trickle updates to pip. This might allow an attacker to remotely exploit a vulnerability before an update is downloaded to completion.
First, we set up the virtual environment (for cleanroom testing) and install pip-without-TUF:
$ cd /tmp
$ curl -O https://pypi.python.org/packages/source/v/virtualenv/virtualenv-1.10.1.tar.gz
$ tar xvfz virtualenv-1.10.1.tar.gz
$ python virtualenv-1.10.1/virtualenv.py --no-site-packages slow-retrieval-without-tuf
$ source slow-retrieval-without-tuf/bin/activateSuppose that FooBar 0.1 is ~8MB and the web server responds at about 4KB/s (after the first few hundred bytes):
$ time pip install FooBar --index-url http://mirror1.poly.edu/test-pip/slow-retrieval/targets/simple/
Downloading/unpacking FooBar
Downloading FooBar-0.1.tar.gz (8.4MB): 8.4MB downloaded
Running setup.py egg_info for package FooBar
Installing collected packages: FooBar
Running setup.py install for FooBar
FooBar 0.1
Successfully installed FooBar
Cleaning up...
real 34m10.084s
user 0m0.484s
sys 0m0.100spip-without-TUF is designed to be robust, so it waits until the entire download is complete. However, this sometimes a security problem because an attacker may deliberately trickle the download in order to remotely exploit a user who is downloading a security update. This situation could have been avoided with the slow retrieval attack protection offered by PyPI-with-TUF.