>An unexpected exception to this is the antigravity module. The Python developers included an easter egg in 2008 which can be triggered by running import antigravity. This import will immediately open your browser to the xkcd comic that joked that import antigravity in Python would grant you the ability to fly.
> As for how the antigravity module opens your browser, it uses another module from the standard library called webbrowser. This module checks your PATH for a large variety of browsers, including mosaic, opera, skipstone, konqueror, chrome, chromium, firefox, links, elinks and lynx. It also accepts an environment variable BROWSER that lets you specify which process should be executed.
It was the possibility of security vulnerabilities that made software companies (more specifically Microsoft[0]) eschew easter eggs. Every feature, every line of code potentially increases your attack surface, especially if it interacts with other features.
It was the possibility of security vulnerabilities that made software companies (more specifically Microsoft[0]) eschew easter eggs.
...and yet there are plenty of horror stories about Win10 coming with lots of other "surprises" like Candy Crush installed by default, ads that fetch resources over the Internet, etc. I can almost hear a PM somewhere say "but they're not easter eggs, because they are documented somewhere." I'm sure people would be far less surprised and disgusted by a "real easter egg" that did something simple like developer's credits. Corporate bureaucracy at its worst...
I suspect what made companies exclude easter eggs was a sense that they were too big and "serious" for this sort of whimsical activity. And specifically for Microsoft, a sense that they were now targeting the Enterprise marketTM and were above all this consumer-grade behaviour. Interestingly Google still has easter egg behaviour for several queries, e.g. askew[1], which fits well with their corporate brand.
To be clear, an easter egg is only supposed to be a (pleasant) surprise to the consumer -- not a secret kept from the rest of the team, especially QA. You can and should absolutely test your easter eggs.
Yes, Excel's increasingly elaborate easter eggs[2] would probably find it hard to get past security review these days. But to say that easter eggs are bad because security doesn't make sense. Especially when companies include undocumented features in software all the time -- e.g., typing '=rand()' into newer versions of MS Word produces some random text, probably a lorem ipsum generator-like feature.
This "vulnerability" requires "able to set an environment variable on a Python execution environment" and "opening a browser leads to RCE". Once you have that level of control over a system, I don't think `antigravity` will make or break an RCE.
This is flat wrong. You can cause it to run an arbitrary binary by setting the BROWSER environment variable, as they demonstrate in the article. They chained it with perl environment variable vulnerability listed earlier to achieve execution.
I am confused by your point... the article is trying to hack a system where they can only set environment variables, and they found an environment variable that can import arbitrary modules.
Are you trying to tell hackers to just not import the module?
Of course as a developer you (should) already have the power to run arbitrary code on your machine, so going through that route is silly. I think it's more in reference to locked-down environments like shared hosting, which want to run Python but restrict access to everything else. From that perspective, this ability looks like a sandbox escape.
it's an escape because you can load an arbitrary script into the command, and if the sandbox crafter didn't think to lock down `import antigravity` then you can escape the sandbox.
> As for how the antigravity module opens your browser, it uses another module from the standard library called webbrowser. This module checks your PATH for a large variety of browsers, including mosaic, opera, skipstone, konqueror, chrome, chromium, firefox, links, elinks and lynx. It also accepts an environment variable BROWSER that lets you specify which process should be executed.
It was the possibility of security vulnerabilities that made software companies (more specifically Microsoft[0]) eschew easter eggs. Every feature, every line of code potentially increases your attack surface, especially if it interacts with other features.
0. https://docs.microsoft.com/en-us/archive/blogs/larryosterman...