On Fri, 26 Sep 2014 09:40:17 +1000
Steven D'Aprano <st...@pearwood.info> wrote:
> Perhaps I'm missing something, but aren't there easier ways to attack
> os.system than the bash env vulnerability? If I'm accepting and running
> arbitrary strings from an untrusted user, there's no need for them to go
> to the trouble of feeding me:
>
> "env x='() { :;}; echo gotcha' bash -c 'echo do something useful'"
>
> when they can just feed me:
>
> "echo gotcha"
>
> In other words, os.system is *already* an attack vector, unless you only
> use it with trusted strings. I don't think the bash env vulnerability
> adds to the attack surface.
>
> Have I missed something?
The part where the attack payload is passed through the environment, not
through hypothetical user-injected command-line arguments.
Regards
Antoine.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
