[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on nx and OSX (original) (raw)
Matěj Cepl mcepl at cepl.eu
Fri Sep 26 09:28:39 CEST 2014
- Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2014-09-25, 23:14 GMT, Cameron Simpson wrote:
Fortunately, Python's subprocess has its
shellargument default to False. However,os.systeminvokes the shell implicitly and is therefore a possible attack vector. Only if /bin/sh is bash :-) Not always the case, fortunately.
Where does your faith that other /bin/sh implementations (dash, busybox, etc.) are less buggy comes from? On the contrary, bash being the most used, beaten, patched, and studied of them all has plenty of arguments to claim to be the most secure /bin/sh implementation around. You just don't know about those other guys bugs. No reason to believe hackers don't know about them either.
Matěj
- Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]