Fix for CVE-2022-37460 - Removed "shell=True", made args a list, and revised to handle stdin in function by calebshortt · Pull Request #96014 · python/cpython (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation6 Commits1 Checks0 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

calebshortt

Fixes a vulnerability (CVE-2022-37460) in the get-remote-certificate script that would allow for remote code execution given malicious host parameter.

NOTE: Issue reported to python security but no gh-#####.

@calebshortt

@bedevere-bot

@ghost

All commit authors signed the Contributor License Agreement.
CLA signed

@gpshead

Please file an issue in this github repo related to this. adjust the PR title to refer to the gh-#####: issue number. PRs are already public. There is no reason not to file an issue once a PR exists.

(and no need to refer to the CVE as that is being withdrawn)

vstinner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change breaks the script. I'm not sure if you tested manually the script with your change.

To remove shell=True, you have to to split manually the r'openssl x509 (...)' shell command.

Anyway, I wrote PR #97613 which works and has a NEWS entry. I credited you in my PR.

@bedevere-bot

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@kumaraditya303

Superseded by #97613. Thanks for the PR!