[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on nx and OSX (original) (raw)
Steven D'Aprano steve at pearwood.info
Fri Sep 26 01:40:17 CEST 2014
- Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote:
On Thu, 25 Sep 2014 13:00:16 -0700 Bob Hanson <d2mp1a9 at newsguy.com> wrote: > Critical bash vulnerability CVE-2014-6271 may affect Python on > nx and OSX: [...]
See also:
http://adminlogs.info/2014/09/25/again-bash-cve-2014-7169/
Fortunately, Python's subprocess has its
shellargument default to False. However,os.systeminvokes the shell implicitly and is therefore a possible attack vector.
Perhaps I'm missing something, but aren't there easier ways to attack os.system than the bash env vulnerability? If I'm accepting and running arbitrary strings from an untrusted user, there's no need for them to go to the trouble of feeding me:
"env x='() { :;}; echo gotcha' bash -c 'echo do something useful'"
when they can just feed me:
"echo gotcha"
In other words, os.system is already an attack vector, unless you only use it with trusted strings. I don't think the bash env vulnerability adds to the attack surface.
Have I missed something?
-- Steven
- Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]