TL;DR: upgrade to notebook 4.2.2
We just released notebook 4.2.2 with a few bugfixes and one important security fix.
We (specifically Steve Sylvester) have found a longstanding security issue in the Notebook, regarding output of untrusted notebooks being able to execute code when the notebook is opened.
The vulnerability has been assigned the identifier CVE-2016-6524.
- 2.0 ≤ IPython < 4.0 (all IPython notebook versions, starting with the introduction of the concept of untrusted output)
- notebook ≤ 4.2.1
- Upgrade to notebook 4.2.2
pip install --upgrade notebook
conda install notebook(once conda channels propagate the release)
The vulnerability was reported on July 26, and a fix proposed on the same day. After some review and testing of the patch and a check for similar vulnerabilities, on August 3 a CVE was assigned and the 4.2.2 release made immediately thereafter.
instead of the fancy visualization. Once you either execute the notebook yourself or explicitly trust the notebook from the File menu, you can see the real results.
When loading output from an untrusted notebook, we take one of three actions:
- the output is potentially unsafe, and sanitized (HTML)
- the output is safe, and displayed regardless of trust
It's that third option of "safe" outputs where things went a bit awry. Safe outputs should be outputs that cannot run code in the browser. This includes plain-text output, which we reliably escape, and raster images, such as pngs and jpegs. So far, so good. It also includes latex, which ought to be like plain text, in that it's properly escaped before being put on the page to be rendered by MathJax. This is where we went wrong. We were putting latex output on the page with jQuery's
$.append, which puts elements on the page verbatim. In this way, if the output that claimed to be latex was actually HTML with script tags and such, it would be able to execute code. The right thing to do (all along) was to use the safe
$.text, which escapes HTML entities before putting things on the page.
So that's the fix.
I'm a bit surprised that we didn't have bugs caused by inequalities and such in equations being mistakenly interpreted as HTML tags.
See our security docs for further details on the security model in Jupyter Notebooks.
If you find a security issue with the notebook or other Jupyter components, please let us know at [email protected]