On 2014-09-27, at 00:11 , Cameron Simpson c...@zip.com.au wrote:
On 26Sep2014 13:16, Antoine Pitrou solip...@pitrou.net wrote:
On Fri, 26 Sep 2014 01:10:53 -0700
Hasan Diwan hasan.di...@gmail.com wrote:
On 26 September 2014 00:28, Matěj Cepl mc...@cepl.eu wrote:
Where does your faith that
Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Of course anything called by subprocess with shell=False may invoke the
shell itself if it runs other
On 2014-09-25, 23:14 GMT, Cameron Simpson wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Only if /bin/sh is bash :-) Not always the case, fortunately.
Where does your
Matěj,
On 26 September 2014 00:28, Matěj Cepl mc...@cepl.eu wrote:
Where does your faith that other /bin/sh implementations (dash,
busybox, etc.) are less buggy comes from?
The fact that they are simpler, in terms of lines of code. It's no
guarantee, but the less a given piece of code does,
On 26.09.14 01:17, Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Fortunately dash (which is used as /bin/sh in Debian and Ubuntu) is not
vulnerable.
On Fri, 26 Sep 2014 01:10:53 -0700
Hasan Diwan hasan.di...@gmail.com wrote:
Matěj,
On 26 September 2014 00:28, Matěj Cepl mc...@cepl.eu wrote:
Where does your faith that other /bin/sh implementations (dash,
busybox, etc.) are less buggy comes from?
The fact that they are simpler, in
Jeremy Sanders schrieb am 26.09.2014 um 09:28:
Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Of course anything called by subprocess with
On Fri, 26 Sep 2014 14:56:05 +0200
Stefan Behnel stefan...@behnel.de wrote:
Jeremy Sanders schrieb am 26.09.2014 um 09:28:
Antoine Pitrou wrote:
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
Stefan Behnel wrote:
Ok, but does that really make it a relevant topic for python-dev?
Sorry - I thought I was reading python-general. gmane makes it too easy to
post :-). However, I think it's worth pointing that out, in case people
think that Popen is a security panacea.
J
On 26Sep2014 13:16, Antoine Pitrou solip...@pitrou.net wrote:
On Fri, 26 Sep 2014 01:10:53 -0700
Hasan Diwan hasan.di...@gmail.com wrote:
On 26 September 2014 00:28, Matěj Cepl mc...@cepl.eu wrote:
Where does your faith that other /bin/sh implementations (dash,
busybox, etc.) are less buggy
Critical bash vulnerability CVE-2014-6271 may affect Python on
*n*x and OSX:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
On Thu, 25 Sep 2014 13:00:16 -0700
Bob Hanson d2mp...@newsguy.com wrote:
Critical bash vulnerability CVE-2014-6271 may affect Python on
*n*x and OSX:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
This was helpful:
http://sarge.readthedocs.org/en/latest/internals.html#how-shell-quoting-works
--
Wes Turner
On Thu, Sep 25, 2014 at 5:17 PM, Antoine Pitrou solip...@pitrou.net wrote:
On Thu, 25 Sep 2014 13:00:16 -0700
Bob Hanson d2mp...@newsguy.com wrote:
Critical bash vulnerability
On 26Sep2014 00:17, Antoine Pitrou solip...@pitrou.net wrote:
On Thu, 25 Sep 2014 13:00:16 -0700
Bob Hanson d2mp...@newsguy.com wrote:
Critical bash vulnerability CVE-2014-6271 may affect Python on
*n*x and OSX:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
[...]
Fortunately,
On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote:
On Thu, 25 Sep 2014 13:00:16 -0700
Bob Hanson d2mp...@newsguy.com wrote:
Critical bash vulnerability CVE-2014-6271 may affect Python on
*n*x and OSX:
[...]
See also:
http://adminlogs.info/2014/09/25/again-bash-cve-2014-7169/
On Fri, 26 Sep 2014 09:40:17 +1000
Steven D'Aprano st...@pearwood.info wrote:
Perhaps I'm missing something, but aren't there easier ways to attack
os.system than the bash env vulnerability? If I'm accepting and running
arbitrary strings from an untrusted user, there's no need for them to go
The part where the attack payload is passed through the environment, not
through hypothetical user-injected command-line arguments.
So, best advice would be to:
1. Upgrade bash (and standby for an additional patch, according to reddit)
2. Upgrade to WSGI, if possible
3. Be careful about
On Fri, Sep 26, 2014 at 9:53 AM, Antoine Pitrou solip...@pitrou.net wrote:
In other words, os.system is *already* an attack vector, unless you only
use it with trusted strings. I don't think the bash env vulnerability
adds to the attack surface.
Have I missed something?
The part where the
On Thu, Sep 25, 2014 at 4:53 PM, Antoine Pitrou solip...@pitrou.net wrote:
In other words, os.system is *already* an attack vector, unless you only
use it with trusted strings. I don't think the bash env vulnerability
adds to the attack surface.
Have I missed something?
The part where the
On Fri, Sep 26, 2014 at 10:29 AM, Devin Jeanpierre
jeanpierr...@gmail.com wrote:
As I understand it, if the attacker can help specify the environment
(e.g. this is a CGI script), and you run os.system('echo hi'), you can
get pwned. Even safe uses of os.system are vulnerable unless you point
On 26Sep2014 09:40, Steven D'Aprano st...@pearwood.info wrote:
On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote:
On Thu, 25 Sep 2014 13:00:16 -0700
Bob Hanson d2mp...@newsguy.com wrote:
Critical bash vulnerability CVE-2014-6271 may affect Python on
*n*x and OSX:
[...]
See
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/25/2014 08:59 PM, Cameron Simpson wrote:
Your cable/adsl modem? Probably an embedded Linux box, possibly using
bash, and certainly a dhcp client of the ISP. Better still, for many
people that same comprimisable modem is the DHCP _server_ for
On 25Sep2014 21:30, Tres Seaver tsea...@palladion.com wrote:
On 09/25/2014 08:59 PM, Cameron Simpson wrote:
Your cable/adsl modem? Probably an embedded Linux box, possibly using
bash, and certainly a dhcp client of the ISP. Better still, for many
people that same comprimisable modem is the DHCP
Steven D'Aprano st...@pearwood.info:
Perhaps I'm missing something, but aren't there easier ways to attack
os.system than the bash env vulnerability?
The main concern is the cases where you provide a service accessible
through an SSH login and try to sandbox the client with limited
24 matches
Mail list logo
