[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on nx and OSX (original) (raw)

Marko Rauhamaa marko at pacujo.net
Fri Sep 26 06:31:15 CEST 2014

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steven D'Aprano <steve at pearwood.info>:

Perhaps I'm missing something, but aren't there easier ways to attack os.system than the bash env vulnerability?

The main concern is the cases where you provide a service accessible through an SSH login and try to sandbox the client with limited functionality. SSH passes some environment variables on to the service which can then be used as an XSS vector.

For example, if you wrote an SVN server's SSH front end with Python and used subprocess.Popen(shell=True) to execute the SVN operations, you could become a victim.

Marko

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list