[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name"

2015-11-15 Thread R. David Murray 

R. David Murray added the comment:

Since setup.py can run arbitrary python code, it is pointless to worry about 
this from a security perspective.  The change is otherwise not a bad idea, 
though, since it avoids filename quoting problems.  Is there any chance this 
would break existing setup.py files that do their own quoting of the filenames 
to get around the quoting problem?  I'm guessing not since the filename gets 
used in multiple contexts, and the other contexts probably require an unquoted 
filename. Which would make this a simple bug fix against bdist_rpm.

However, why not convert to using Popen?

--
nosy: +r.david.murray
type: security -> behavior
versions: +Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name"

2015-11-14 Thread SilentGhost 

SilentGhost added the comment:

This also seem to affect python 3, there os.popen implemented using 
subprocess.Popen, but that one is called with shell=True. So basically the 
string that's passed to os.popen should be quoted. The attached patch seem to 
be sufficient when applied on the default branch.

--
keywords: +patch
nosy: +SilentGhost
Added file: http://bugs.python.org/file41044/issue25627.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name

2015-11-14 Thread Bernd Dietzel 

New submission from Bernd Dietzel:

https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183

File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py

Line 358 :
This line in the code uses the depreached os.popen command, should be replaced 
with subprocess.Popen() :

out = os.popen(q_cmd)

Exploit demo :

1) Download the setup.py script witch i attached
2) Create a test folder an put the setup.py script in this folder
3) cd to the test folder
4) python setup.py bdist_rpm
5) A xmessage window pops up as a proof of concept

--
components: Distutils
files: setup.py
messages: 254670
nosy: TheRegRunner, dstufft, eric.araujo
priority: normal
severity: normal
status: open
title: distutils : file "bdist_rpm.py" allows Shell injection in "name
type: security
versions: Python 2.7
Added file: http://bugs.python.org/file41043/setup.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25627] distutils : file "bdist_rpm.py" allows Shell injection in "name"

2015-11-14 Thread Bernd Dietzel 

Changes by Bernd Dietzel :


--
title: distutils : file "bdist_rpm.py" allows Shell injection in "name -> 
distutils : file "bdist_rpm.py" allows Shell injection in "name"

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com