[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
Cameron Simpson
cs at zip.com.au
Fri Sep 26 01:14:37 CEST 2014
On 26Sep2014 00:17, Antoine Pitrou <solipsis at pitrou.net> wrote:
>On Thu, 25 Sep 2014 13:00:16 -0700
>Bob Hanson <d2mp1a9 at newsguy.com> wrote:
>> Critical bash vulnerability CVE-2014-6271 may affect Python on
>> *n*x and OSX:
>> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
[...]
>Fortunately, Python's subprocess has its `shell` argument default to
>False. However, `os.system` invokes the shell implicitly and is
>therefore a possible attack vector.
Only if /bin/sh is bash :-) Not always the case, fortunately.
Cheers,
Cameron Simpson <cs at zip.com.au>
Death is life's way of telling you you've been fired. - R. Geis
More information about the Python-Dev
mailing list