On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote: > On Thu, 25 Sep 2014 13:00:16 -0700 > Bob Hanson <d2mp...@newsguy.com> wrote: > > Critical bash vulnerability CVE-2014-6271 may affect Python on > > *n*x and OSX: [...]
See also: http://adminlogs.info/2014/09/25/again-bash-cve-2014-7169/ > Fortunately, Python's subprocess has its `shell` argument default to > False. However, `os.system` invokes the shell implicitly and is > therefore a possible attack vector. Perhaps I'm missing something, but aren't there easier ways to attack os.system than the bash env vulnerability? If I'm accepting and running arbitrary strings from an untrusted user, there's no need for them to go to the trouble of feeding me: "env x='() { :;}; echo gotcha' bash -c 'echo do something useful'" when they can just feed me: "echo gotcha" In other words, os.system is *already* an attack vector, unless you only use it with trusted strings. I don't think the bash env vulnerability adds to the attack surface. Have I missed something? -- Steven _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
