New submission from David Benjamin:
The implementation of platform.architecture shells out to the file command. It
tries to escape quotes by replacing " with \", but that's not sufficient.
$ python3.2 -c 'import platform; platform.architecture("foo\\\"; echo Hi there
> /tmp/Z; echo \\\"")' && cat /tmp/Z
Hi there
Here's a patch to make it use subprocess instead. I haven't tested it
thoroughly building everything from trunk and running tests, but I verified it
works by replacing the platform.py in my system Python install.
----------
components: Library (Lib)
files: fix-platform-architecture.patch
keywords: patch
messages: 171825
nosy: David.Benjamin
priority: normal
severity: normal
status: open
title: platform.architecture does not correctly escape argument to /usr/bin/file
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python
3.4, Python 3.5
Added file: http://bugs.python.org/file27391/fix-platform-architecture.patch
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue16112>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
