This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: ctypes.util , Shell Injection in find_library()
Type: security Stage:
Components: ctypes Versions: Python 3.4, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: avoid using a shell in ctypes.util: replace os.popen with subprocess
View: 22636
Assigned To: Nosy List: TheRegRunner, martin.panter, xnox
Priority: normal Keywords: patch

Created on 2015-11-27 20:19 by TheRegRunner, last changed 2022-04-11 14:58 by admin. This issue is now closed.

File name Uploaded Description Edit
workaround.diff TheRegRunner, 2015-11-27 20:19 patch
Messages (6)
msg255482 - (view) Author: Bernd Dietzel (TheRegRunner) Date: 2015-11-27 20:19
The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the script should be replaced with "subprocess.Popen()".

Demo Exploits for Linux :

>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"

==== Traceback ====

>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for Traceback
^CTraceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.4/ctypes/", line 244, in find_library
    return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
  File "/usr/lib/python3.4/ctypes/", line 99, in _findLib_gcc
    trace =
msg255523 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-11-28 03:29
There is a patch at Issue 22636 which looks like it replaces all five os.popen() calls.
msg255524 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-11-28 03:31
Your Ubuntu link seems broken, or is that a private report?
msg255539 - (view) Author: Bernd Dietzel (TheRegRunner) Date: 2015-11-28 12:30
i made the ubuntu link readable for everyone.
msg255633 - (view) Author: Dimitri John Ledkov (xnox) * Date: 2015-12-01 01:10
Whilst fixed in 3.5, it is not fixed in 2.7. And the reporter believes this is a security vulnerability.

Can this be cherry-picked into the 2.7 branch?
msg255634 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-12-01 01:54
I do not believe 3.5 is fixed either:

$ python3.5
Python 3.5.0 (default, Sep 20 2015, 11:28:25) 
[GCC 5.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes.util
>>> ctypes.util.find_library("; echo Hello shell >&2")
Hello shell

Issue 22636 has a patch with some review comments, but is is still open. I think it needs someone to take another look, perhaps update the patch, and get it committed.

I will mark the other issue as a bug fix for 2.7 and 3.4+.
Date User Action Args
2022-04-11 14:58:24adminsetgithub: 69937
2015-12-01 01:54:54martin.pantersetmessages: + msg255634
2015-12-01 01:10:00xnoxsetnosy: + xnox
messages: + msg255633
2015-11-28 12:30:40TheRegRunnersetmessages: + msg255539
2015-11-28 03:31:02martin.pantersetmessages: + msg255524
2015-11-28 03:29:09martin.pantersetstatus: open -> closed

nosy: + martin.panter
messages: + msg255523

superseder: avoid using a shell in ctypes.util: replace os.popen with subprocess
resolution: duplicate
2015-11-27 20:19:20TheRegRunnercreate