[issue40932] subprocess docs don't qualify the instruction to use shlex.quote by OS
Change by Stephen Farris : -- type: -> security ___ Python tracker <https://bugs.python.org/issue40932> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue40932] subprocess docs don't qualify the instruction to use shlex.quote by OS
New submission from Stephen Farris :
The subprocess docs state: "When using shell=True, the shlex.quote() function
can be used to properly escape whitespace and shell metacharacters in strings
that are going to be used to construct shell commands." While this is true on
Unix, it is not true on Windows. On Windows it is easy to create scenarios
where shell injection still exists despite using shlex.quote properly (e.g.
subprocess.run(shlex.quote("'&calc '"), shell=True) launches the Windows
calculator, which it wouldn't do if shlex.quote was able to prevent shell
injection on Windows). While the shlex docs state that shlex is for Unix, the
subprocess docs imply that shlex.quote will work on Windows too, possibly
leading some developers to erroneously use shlex.quote on Windows to try to
prevent shell injection. Recommend: 1) qualifying the above section in the
subprocess docs to make it clear that this only works on Unix, and 2) updating
the shlex docs with warnings that shlex.quote in particular is not for use on
Window
s.
--
assignee: docs@python
components: Documentation
messages: 371140
nosy: Stephen Farris, docs@python
priority: normal
severity: normal
status: open
title: subprocess docs don't qualify the instruction to use shlex.quote by OS
versions: Python 3.8
___
Python tracker
<https://bugs.python.org/issue40932>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22885] Arbitrary code execution vulnerability due to unchecked eval() call in dumbdbm module
New submission from Stephen Farris: The dumbdbm module uses an unchecked call to eval() in the _update method, which is called in response to a call to dumbdbm.open(), and is used to load the index from the directory file. This poses a security vulnerability because it allows an attacker to execute arbitrary code on the victim's machine by inserting python code into the DBM directory file. This vulnerability could allow an attacker to execute arbitrary commands on the victim machine, potentially allowing them to deploy malware, gain system access, destroy files and data, expose sensitive information, etc. -- components: Library (Lib) messages: 231255 nosy: Guido.van.Rossum, lemburg, stephen.farris priority: normal severity: normal status: open title: Arbitrary code execution vulnerability due to unchecked eval() call in dumbdbm module type: security versions: Python 2.7 ___ Python tracker <http://bugs.python.org/issue22885> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
