[New-bugs-announce] [issue16112] platform.architecture does not correctly escape argument to /usr/bin/file
David Benjamin
report at bugs.python.org
Tue Oct 2 21:15:16 CEST 2012
New submission from David Benjamin:
The implementation of platform.architecture shells out to the file command. It tries to escape quotes by replacing " with \", but that's not sufficient.
$ python3.2 -c 'import platform; platform.architecture("foo\\\"; echo Hi there > /tmp/Z; echo \\\"")' && cat /tmp/Z
Hi there
Here's a patch to make it use subprocess instead. I haven't tested it thoroughly building everything from trunk and running tests, but I verified it works by replacing the platform.py in my system Python install.
----------
components: Library (Lib)
files: fix-platform-architecture.patch
keywords: patch
messages: 171825
nosy: David.Benjamin
priority: normal
severity: normal
status: open
title: platform.architecture does not correctly escape argument to /usr/bin/file
type: security
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4, Python 3.5
Added file: http://bugs.python.org/file27391/fix-platform-architecture.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue16112>
_______________________________________
More information about the New-bugs-announce
mailing list