[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name
Bernd Dietzel
1694007 at bugs.launchpad.net
Sat May 27 11:13:47 UTC 2017
Screenshot
** Attachment added: "Screenshot"
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884537/+files/screenshot.png
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/1694007
Title:
externalcommand.py : Shell injection with a Path name
Status in bzr package in Ubuntu:
New
Bug description:
If inside the path is a shell command, it will be executed.
In this demo the program xeyes will start but should not :
~ $ python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import bzrlib.externalcommand as E
>>> x=E.ExternalCommand('/tmp/$(xeyes)/test/abc')
>>> y=x.help()
sh: 1: /tmp//test/abc: not found
>>> # xeyes does run now #
Package:
python-bzrlib
File:
/usr/lib/python2.7/dist-packages/bzrlib/externalcommand.py
Line 64:
pipe = os.popen('%s --help' % self.path)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: python-bzrlib 2.7.0-2ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
Uname: Linux 4.4.0-66-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.20.1-0ubuntu2.6
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Sat May 27 13:00:36 2017
InstallationDate: Installed on 2016-07-31 (300 days ago)
InstallationMedia: Linux Mint 18 "Sarah" - Release amd64 20160628
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+subscriptions
More information about the foundations-bugs
mailing list