Bernd Dietzel added the comment:
i made the ubuntu link readable for everyone.
--
___
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/i
New submission from Bernd Dietzel:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183
File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py
Line 358 :
This line in the code uses the depreached os.popen command, should be replaced
with subprocess.Popen() :
out = os.popen
Changes by Bernd Dietzel <python@theregrunner.com>:
--
title: distutils : file "bdist_rpm.py" allows Shell injection in "name ->
distutils : file "bdist_rpm.py" allows Shell injection in "name"
___
P
Bernd Dietzel added the comment:
My patch for mailcap.py. Please check and apply my patch please.
1) I have removed the os.system() calls for security reasons.
2) New "findmtach_list()" function witch returns the commandline as a [list]
witch can be passed to subprocess instead
Bernd Dietzel added the comment:
# for the docs ... quoting of the filename when you call mailcap.findmatch()
f=;xterm;#.txt # Shell Command Demo ... xterm will run if quote() fails
import mailcap
import random
try:
from shlex import quote
except ImportError:
from pipes import quote
d
Bernd Dietzel added the comment:
What i do is the last doc is like this :
1) Replace the filename with a random name
2) Run mailcap.findmatch() with the random name
3) If exists, replace the quote characters ' before and behind the random name
with nothing.
4) Now the random name has
Bernd Dietzel added the comment:
Yes changing the docs is a good idea.
I was thinking about a patch :
import os
### patch
import random
try:
from shlex import quote
except ImportError:
from pipes import quote
###
... and so on
# Part 3: using the database.
def
Bernd Dietzel added the comment:
@David
Thanks for the comment :-)
I think if you read the Documentation
https://docs.python.org/2/library/mailcap.html
this may lead new programmers, wich may never heard of Shell Injections before,
step by step directly to write insecure webbbrowsers
Bernd Dietzel added the comment:
Exploid Demo wich works with quote() :
commandline,MIMETYPE=mailcap.findmatch(d, 'text/*',
filename=quote(';xterm;#.txt'))
commandline
less '';xterm;#.txt''
os.system(commandline)
### xterm starts
--
___
Python
New submission from Bernd Dietzel:
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.
Filename should be quoted with quote(filename) to fix the bug.
https://docs.python.org/2/library/mailcap.html
mailcap.findmatch(/caps
Bernd Dietzel added the comment:
Maybe it would be a good idea to do so as run-mailcap does :
theregrunner@mint17 : ~ € run-mailcap --debug ';xterm;#'.txt
- parsing parameter ';xterm;#'.txt
- Reading mime.types file /etc/mime.types...
- extension txt maps to mime-type text/plain
- Reading
11 matches
Mail list logo