This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author TheRegRunner
Recipients TheRegRunner
Date 2015-11-27.20:19:20
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1448655560.8.0.523539379986.issue25751@psf.upfronthosting.co.za>
In-reply-to
Content 
The find_library() function can execute code when special chars like ;|`<>$ are in the name.
The "os.popen()" calls in the util.py script should be replaced with "subprocess.Popen()".

Demo Exploits for Linux :
====================

>>> from ctypes.util import find_library
>>> find_library(";xeyes") # runs xeyes
>>> find_library("|xterm") # runs terminal
>>> find_library("&gimp") # runs gimp
>>> find_library("$(nautilus)") # runs filemanager
>>> find_library(">test") # creates, and if exists, erases a file "test"

==== Traceback ====

>>> find_library("`xmessage hello`") # shows a message, press ctrl+c for Traceback
^CTraceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.4/ctypes/util.py", line 244, in find_library
    return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
  File "/usr/lib/python3.4/ctypes/util.py", line 99, in _findLib_gcc
    trace = f.read()
KeyboardInterrupt


https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1512068
History
Date User Action Args
2015-11-27 20:19:20TheRegRunnersetrecipients: + TheRegRunner
2015-11-27 20:19:20TheRegRunnersetmessageid: <1448655560.8.0.523539379986.issue25751@psf.upfronthosting.co.za>
2015-11-27 20:19:20TheRegRunnerlinkissue25751 messages
2015-11-27 20:19:20TheRegRunnercreate