I needed arg[0] to replace partial path with full path and shlex was the only way to do this easily.
It also parses the commandline the way the shell would, so a legal split. Your example will be reconstructed in Popen as "program ls -l /tmp --help" which is weird, but probably legal in most cases. I thought about doing it with a simple split(), but that would run out something like '/usr/bin/odd dir with spaces/program' ls /tmp so I went with something that is supposed to work. Basically, the problem goes from simple to absurdly complex in a real hurry. On Mon, Nov 30, 2015 at 12:18 PM, edso <[email protected]> wrote: > On 30.11.2015 18:45, Bernd Dietzel wrote: > > I'm not happy with shlex.split. > > It could split the commandline into unwanted additional arguments. > > > > Example with a unwanted help argument in a path : > > > > theregrunner@PC:~$ python > > Python 2.7.10 (default, Oct 14 2015, 16:09:02) > > [GCC 5.2.1 20151010] on linux2 > > Type "help", "copyright", "credits" or "license" for more information. > >>>> commandline = '%s "ls -l %s"' % ('program' , '/tmp/" "--help') > >>>> commandline > > 'program "ls -l /tmp/" "--help"' > >>>> import shlex > >>>> args = shlex.split(commandline) > >>>> args > > ['program', 'ls -l /tmp/', '--help'] > >>>> > > can you see a security implication? worst case afaics is breakage. > > actually backends had to have the parameters properly quoted already. > if not they wouldn't work with spaces or other special chars. not sure > that all were tested against these corner cases though. > > ..ede/duply.net > > -- > You received this bug notification because you are subscribed to > Duplicity. > https://bugs.launchpad.net/bugs/1520691 > > Title: > Shell Code Injection in hsi backend > > Status in Duplicity: > Fix Committed > > Bug description: > https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 > > The "hsi" backend of duplicity is vulnerabe to code injections. > > It uses os.popen3() with should be replaced with subprocess.Popen(). > > Thank you. > > File : > ------- > /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py > > This is the function witch is vulnerable : > ------------------------------------------------------------ > def _list(self): > commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) > l = os.popen3(commandline)[2].readlines()[3:] > > Exploit Demo : > ============ > > On the Terminal type in : > > $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug > > --> This will start the program xeyes , but should not. > > I attached a screenshot of the exploit demo. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions > -- You received this bug notification because you are a member of duplicity-team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1520691 Title: Shell Code Injection in hsi backend Status in Duplicity: Fix Committed Bug description: https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103 The "hsi" backend of duplicity is vulnerabe to code injections. It uses os.popen3() with should be replaced with subprocess.Popen(). Thank you. File : ------- /usr/lib/python2.7/dist-packages/duplicity/backends/hsibackend.py This is the function witch is vulnerable : ------------------------------------------------------------ def _list(self): commandline = '%s "ls -l %s"' % (hsi_command, self.remote_dir) l = os.popen3(commandline)[2].readlines()[3:] Exploit Demo : ============ On the Terminal type in : $ duplicity 'hsi://bug/";xeyes;"/test/' /tmp/bug --> This will start the program xeyes , but should not. I attached a screenshot of the exploit demo. To manage notifications about this bug go to: https://bugs.launchpad.net/duplicity/+bug/1520691/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~duplicity-team Post to : [email protected] Unsubscribe : https://launchpad.net/~duplicity-team More help : https://help.launchpad.net/ListHelp
