On Thu, Sep 25, 2014 at 4:53 PM, Antoine Pitrou <solip...@pitrou.net> wrote: >> In other words, os.system is *already* an attack vector, unless you only >> use it with trusted strings. I don't think the bash env vulnerability >> adds to the attack surface. >> >> Have I missed something? > > The part where the attack payload is passed through the environment, not > through hypothetical user-injected command-line arguments.
As I understand it, if the attacker can help specify the environment (e.g. this is a CGI script), and you run os.system('echo hi'), you can get pwned. Even safe uses of os.system are vulnerable unless you point /bin/sh at a secure shell (e.g. patched bash). -- Devin _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com