On 29.11.2015 17:34, Aaron Whitehouse wrote: > Looks like we should move away from shell=True ASAP. > > https://docs.python.org/2/library/subprocess.html#frequently-used-arguments > "Warning > Executing shell commands that incorporate unsanitized input from an untrusted > source makes a program vulnerable to shell injection, a serious security flaw > which can result in arbitrary command execution. For this reason, the use of > shell=True is strongly discouraged in cases where the command string is > constructed from external input [...]" >
that's going to be some effort. we have several backends utilizing shell binaries and at least ftp has a similar issue. btw. how is ist the GpgInterface dealing with this? https://bazaar.launchpad.net/~duplicity-team/duplicity/0.7-series/view/head:/duplicity/gpginterface.py theoretically it should have a similar attack surface but it seems to utilize os.execvp(command[0], command) which seems to have no shell injection issues, as no shell is used. this guy seems to have dug up how subprocess.call() actually uses os.execvp() internally. http://blog.littleimpact.de/index.php/2008/08/11/avoiding-shell-injection-in-ruby-python-and-php/ in summary i'd agree that switching shell=False for subprocess calls should do the trick. ages ago i tried to streamline subprocess usage by adding Backend.subprocess_popen(). reworking all backends to use it and just fix it there should suffice. obviously it will need to be given a list of arguments with a fixed arg[0] run command in that case ;) ..ede/duply.net -- You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1520691 Title: Shell Code Injection in hsi backend Status in Duplicity: In Progress Bug description: https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. To manage notifications about this bug go to: https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
