-
-
Notifications
You must be signed in to change notification settings - Fork 29.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pwd, spwd, grp functions vulnerable to denial of service #49109
Comments
The pwd (and spwd and grp) modules deal with data from This causes a problem since the functions in these modules try to Currently, the pwd module tries to decode the string fields using A debug build of Python also reports a reference counting error I've also written a patch (bytes.diff, attached) that would add Alternatively or in addition, a quick "fix" for the GECOS problem |
Any decision on this issue should be deferred until a PEP has been |
baikie: Open a separated issue for the refcount error and fd leak. |
On Ubuntu, it's not possible to create an user with a non-ASCII name: $ sudo adduser é --no-create-home
adduser: To avoid problems, the username should consist only of
letters, digits, underscores, periods, at signs and dashes, and not
start with a dash (as defined by IEEE Std 1003.1-2001). For
compatibility with Samba machine accounts $ is also supported at
the end of the username |
About pwd, we have 7 fields:
We can expect GECOS and filenames to be encoded in the "default system Your patch latin1.diff is wrong: the charset is not always latin-1 or The situation is similar to the bytes/unicode filename debate (see The default should be unicode, but we need to be able get all fields We have already bytes/unicode functions using the "b" suffix: Note: The GECOS field problem was already reported in issue bpo-3023 (by |
I don't think that it can be called a "denial of service attack". |
OK. It does affect 2.x as well, come to think of it.
Well, good for Ubuntu :) But you can still add one with the
Yes, I know it's "wrong" - I just thought of it as a stopgap
It depends on how the program uses these functions. Obviously |
Patch to make pwd, spwd and grp decode their string fields using |
Patch to make get*nam() functions encode their arguments using |
Thanks for the patches. Committed as r73015. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: