Merge pull request from GHSA-29gw-9793-fvw7

Carreau · web-flow · commit 385d69325319 · 2023-02-10T10:21:06.000+01:00
Fix CVE-2023-24816
diff --git a/IPython/__init__.py b/IPython/__init__.py
@@ -63,7 +63,7 @@
 version_info = release.version_info
 # list of CVEs that should have been patched in this release.
 # this is informational and should not be relied upon.
-__patched_cves__ = {"CVE-2022-21699"}
+__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"}
 
 
 def embed_kernel(module=None, local_ns=None, **kwargs):
diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py
@@ -91,30 +91,14 @@ def _restore_term_title_xterm():
         _set_term_title = _set_term_title_xterm
         _restore_term_title = _restore_term_title_xterm
 elif sys.platform == 'win32':
-    try:
-        import ctypes
-
-        SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
-        SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
-    
-        def _set_term_title(title):
-            """Set terminal title using ctypes to access the Win32 APIs."""
-            SetConsoleTitleW(title)
-    except ImportError:
-        def _set_term_title(title):
-            """Set terminal title using the 'title' command."""
-            global ignore_termtitle
-
-            try:
-                # Cannot be on network share when issuing system commands
-                curr = os.getcwd()
-                os.chdir("C:")
-                ret = os.system("title " + title)
-            finally:
-                os.chdir(curr)
-            if ret:
-                # non-zero return code signals error, don't try again
-                ignore_termtitle = True
+    import ctypes
+
+    SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
+    SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
+
+    def _set_term_title(title):
+        """Set terminal title using ctypes to access the Win32 APIs."""
+        SetConsoleTitleW(title)
 
 
 def set_term_title(title):
diff --git a/docs/source/whatsnew/version8.rst b/docs/source/whatsnew/version8.rst
@@ -2,6 +2,18 @@
  8.x Series
 ============
 
+
+IPython 8.9.1
+-------------
+
+Out of schedule release of IPython with minor fixes to patch a potential CVE-2023-24816.
+This is a really low severity CVE that you most likely are not affected by unless:
+
+ - You are on windows.
+ - You have a custom build of Python without ``_ctypes``
+ - You cd or start IPython or Jupyter in untrusted directory which names may be valid shell commands.
+
+
 .. _version 8.9.0:
 
 IPython 8.9.0
