Public bug reported: Horizon uses subprocess with shell=True in openstack_dashboard\management\commands\extract_messages.py and openstack_dashboard\management\commands\update_catalog.py in function handle
Handle contains command with a double quote, either accidentally or maliciously, the command will be executed with shell=True. Bandit think it's insecure. For more information on subprocess, shell=True and command injection see: https://docs.python.org/2/library/subprocess.html #frequently-used-arguments ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1908848 Title: subprocess with shell=True Status in OpenStack Dashboard (Horizon): New Bug description: Horizon uses subprocess with shell=True in openstack_dashboard\management\commands\extract_messages.py and openstack_dashboard\management\commands\update_catalog.py in function handle Handle contains command with a double quote, either accidentally or maliciously, the command will be executed with shell=True. Bandit think it's insecure. For more information on subprocess, shell=True and command injection see: https://docs.python.org/2/library/subprocess.html#frequently-used- arguments To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1908848/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
