subject:"\[issue34489\] subprocess\: execution of batch\-files \(.cmd\/.bat\) is vulnerable in python for windows \/ insufficient escape"

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

2018-08-30 Thread Sergey G. Brester



Sergey G. Brester  added the comment:

I have extended the PR a bit (more tests and corresponding documentation part).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

2018-08-29 Thread Sergey G. Brester



Sergey G. Brester  added the comment:

> Would you consider adding your test suite into the regression tests as well?

Sure. Done.

> Right now, this is a well known issue on all platforms

Really? I can't imagine this for something else as windows (and it is currently 
fixed also for windows only).
Anyway if you want the same test-cases for other platforms also, the windows 
skip-constraint of new test-class "CommandTryInject" should be removed (and the 
set-up as well as "_do_execwithargs" should get additional processing for 
*nix-shell-script instead of the .bat-file).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

2018-08-27 Thread Steve Dower



Steve Dower  added the comment:

Would you consider adding your test suite into the regression tests as well?

Right now, this is a well known issue on all platforms, but there is no clear 
universal solution. If your approach works well for all platforms and does not 
adversely impact any of them, it could be considered. But otherwise, we would 
prefer to keep our advice to not use subprocess with untrusted data while still 
allowing it in circumstances where the developer chooses otherwise.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

2018-08-24 Thread Sergey G. Brester


New submission from Sergey G. Brester :

There is a vulnerability "insufficient escape of special chars for quoting of 
arguments by exec process" for python-language, if executing windows 
batch-files (bat/cmd).

### What version of python is affected?
All

### Does this issue reproduce with the latest master?
Yes

### What did you do?
Execution of batch-file using `subprocess` module with arguments containing 
some special meta-characters.

A recipe for reproducing the error as well as more extensive PoC with 
additional info (and more lang's affected also):
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/README.md
A complete runnable program:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/test-dump-inv.py

 A simple example:
```diff
 # invoke exe-file:
 >>> import subprocess
 >>> subprocess.call(['test-dump.exe', 'test'])
+`test-dump.exe´ `test´
 # invoke cmd-file:
 >>> subprocess.call(['test-dump.CMD', 'test'])
-`test-dump.exe´ `test´my_domain\sebres
```
For more "broken" cases, see the result of my test-suite:
- 
https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/results/python.diff

### What did you expect to see?
Arguments are escaped/quoted properly.

### What did you see instead?
Arguments are insufficient escaped/quoted, so it is vulnerable currently.

### Solution:

For possible solution see the github-PR#8906:
- https://github.com/python/cpython/pull/8906 
For algorithm description:
- https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/SOLUTION.md
resp. how it was fixed in TCL (C-code):
- https://core.tcl-lang.org/tcl/vdiff?from=core-8-5-branch=0-day-21b0629c81 
(see the function `BuildCommandLine`)

### Possible similar issues:
bpo-33515

--
components: Library (Lib), Windows
messages: 324013
nosy: paul.moore, sebres, steve.dower, tim.golden, zach.ware
priority: normal
pull_requests: 8376
severity: normal
status: open
title: subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python 
for windows / insufficient escape
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

[issue34489] subprocess: execution of batch-files (.cmd/.bat) is vulnerable in python for windows / insufficient escape

4 matches

Site Navigation

Mail list logo

Footer information