➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2018-08-24 19:44 by sebres, last changed 2022-04-11 14:59 by admin.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 8906 | closed | sebres, 2018-08-24 19:44 | |
| Messages (4) | |||
|---|---|---|---|
| msg324013 - (view) | Author: Sergey G. Brester (sebres) * | Date: 2018-08-24 19:44 | |
There is a vulnerability "insufficient escape of special chars for quoting of arguments by exec process" for python-language, if executing windows batch-files (bat/cmd). ### What version of python is affected? All ### Does this issue reproduce with the latest master? Yes ### What did you do? Execution of batch-file using `subprocess` module with arguments containing some special meta-characters. A recipe for reproducing the error as well as more extensive PoC with additional info (and more lang's affected also): - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/README.md A complete runnable program: - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/test-dump-inv.py #### A simple example: ```diff # invoke exe-file: >>> import subprocess >>> subprocess.call(['test-dump.exe', 'test&whoami']) + `test-dump.exe´ `test&whoami´ # invoke cmd-file: >>> subprocess.call(['test-dump.CMD', 'test&whoami']) - `test-dump.exe´ `test´my_domain\sebres ``` For more "broken" cases, see the result of my test-suite: - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/results/python.diff ### What did you expect to see? Arguments are escaped/quoted properly. ### What did you see instead? Arguments are insufficient escaped/quoted, so it is vulnerable currently. ### Solution: For possible solution see the github-PR#8906: - https://github.com/python/cpython/pull/8906 For algorithm description: - https://github.com/sebres/PoC/blob/master/SB-0D-001-win-exec/SOLUTION.md resp. how it was fixed in TCL (C-code): - https://core.tcl-lang.org/tcl/vdiff?from=core-8-5-branch&to=0-day-21b0629c81 (see the function `BuildCommandLine`) ### Possible similar issues: bpo-33515 |
|||
| msg324186 - (view) | Author: Steve Dower (steve.dower) *  |
Date: 2018-08-27 16:11 | |
Would you consider adding your test suite into the regression tests as well? Right now, this is a well known issue on all platforms, but there is no clear universal solution. If your approach works well for all platforms and does not adversely impact any of them, it could be considered. But otherwise, we would prefer to keep our advice to not use subprocess with untrusted data while still allowing it in circumstances where the developer chooses otherwise. |
|||
| msg324321 - (view) | Author: Sergey G. Brester (sebres) * | Date: 2018-08-29 13:23 | |
> Would you consider adding your test suite into the regression tests as well? Sure. Done. > Right now, this is a well known issue on all platforms Really? I can't imagine this for something else as windows (and it is currently fixed also for windows only). Anyway if you want the same test-cases for other platforms also, the windows skip-constraint of new test-class "CommandTryInject" should be removed (and the set-up as well as "_do_execwithargs" should get additional processing for *nix-shell-script instead of the .bat-file). |
|||
| msg324379 - (view) | Author: Sergey G. Brester (sebres) * | Date: 2018-08-30 11:59 | |
I have extended the PR a bit (more tests and corresponding documentation part). |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:05 | admin | set | github: 78670 |
| 2018-08-30 11:59:33 | sebres | set | messages: + msg324379 |
| 2018-08-29 13:23:42 | sebres | set | messages: + msg324321 |
| 2018-08-27 16:11:21 | steve.dower | set | messages: + msg324186 |
| 2018-08-24 19:44:10 | sebres | create | |