[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
Wes Turner
wes.turner at gmail.com
Fri Sep 26 02:10:22 CEST 2014
> The part where the attack payload is passed through the environment, not
through hypothetical user-injected command-line arguments.
So, best advice would be to:
1. Upgrade bash (and standby for an additional patch, according to reddit)
2. Upgrade to WSGI, if possible
3. Be careful about including things from os.environ?
3. Always avoid allowing user input with os.system, os.popen, and
subprocess.xyz(cmd, shell=True) [which doesn't need "#aftershock"]
Am I missing something?
seeAlso:
* http://cwe.mitre.org/top25/#CWE-78 "Improper Neutralization of
Special Elements used in an OS Command ('OS Command Injection')"
* http://cwe.mitre.org/data/definitions/78.html
* https://www.owasp.org/index.php/Top_10_2013-A1-Injection
* https://en.wikipedia.org/wiki/Code_injection#Shell_injection
On Thu, Sep 25, 2014 at 6:53 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Fri, 26 Sep 2014 09:40:17 +1000
> Steven D'Aprano <steve at pearwood.info> wrote:
>> Perhaps I'm missing something, but aren't there easier ways to attack
>> os.system than the bash env vulnerability? If I'm accepting and running
>> arbitrary strings from an untrusted user, there's no need for them to go
>> to the trouble of feeding me:
>>
>> "env x='() { :;}; echo gotcha' bash -c 'echo do something useful'"
>>
>> when they can just feed me:
>>
>> "echo gotcha"
>>
>> In other words, os.system is *already* an attack vector, unless you only
>> use it with trusted strings. I don't think the bash env vulnerability
>> adds to the attack surface.
>>
>> Have I missed something?
>
> The part where the attack payload is passed through the environment, not
> through hypothetical user-injected command-line arguments.
>
> Regards
>
> Antoine.
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com
--
Wes Turner
https://westurner.github.io/
More information about the Python-Dev
mailing list