> The part where the attack payload is passed through the environment, not through hypothetical user-injected command-line arguments.
So, best advice would be to: 1. Upgrade bash (and standby for an additional patch, according to reddit) 2. Upgrade to WSGI, if possible 3. Be careful about including things from os.environ? 3. Always avoid allowing user input with os.system, os.popen, and subprocess.xyz(cmd, shell=True) [which doesn't need "#aftershock"] Am I missing something? seeAlso: * http://cwe.mitre.org/top25/#CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" * http://cwe.mitre.org/data/definitions/78.html * https://www.owasp.org/index.php/Top_10_2013-A1-Injection * https://en.wikipedia.org/wiki/Code_injection#Shell_injection On Thu, Sep 25, 2014 at 6:53 PM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Fri, 26 Sep 2014 09:40:17 +1000 > Steven D'Aprano <st...@pearwood.info> wrote: >> Perhaps I'm missing something, but aren't there easier ways to attack >> os.system than the bash env vulnerability? If I'm accepting and running >> arbitrary strings from an untrusted user, there's no need for them to go >> to the trouble of feeding me: >> >> "env x='() { :;}; echo gotcha' bash -c 'echo do something useful'" >> >> when they can just feed me: >> >> "echo gotcha" >> >> In other words, os.system is *already* an attack vector, unless you only >> use it with trusted strings. I don't think the bash env vulnerability >> adds to the attack surface. >> >> Have I missed something? > > The part where the attack payload is passed through the environment, not > through hypothetical user-injected command-line arguments. > > Regards > > Antoine. > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com -- Wes Turner https://westurner.github.io/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
