Bernd Dietzel added the comment:
i made the ubuntu link readable for everyone.
--
___
Python tracker
<http://bugs.python.org/issue25751>
___
___
Python-bugs-list m
New submission from Bernd Dietzel:
The find_library() function can execute code when special chars like ;|`<>$ are
in the name.
The "os.popen()" calls in the util.py script should be replaced with
"subprocess.Popen()".
Demo Exploits for Linux :
Changes by Bernd Dietzel :
--
title: distutils : file "bdist_rpm.py" allows Shell injection in "name ->
distutils : file "bdist_rpm.py" allows Shell injection in "name"
___
Python track
New submission from Bernd Dietzel:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1514183
File :
/usr/lib/python2.7/distutils/command/bdist_rpm.py
Line 358 :
This line in the code uses the depreached os.popen command, should be replaced
with subprocess.Popen() :
out = os.popen
Bernd Dietzel added the comment:
My patch for mailcap.py. Please check and apply my patch please.
1) I have removed the os.system() calls for security reasons.
2) New "findmtach_list()" function witch returns the commandline as a [list]
witch can be passed to subprocess instead of
Bernd Dietzel added the comment:
Thanks :-)
As you may noticed i now choosed to use a random name made of the chars of
"PYTHON" in BIG letters instead of small letters i used before.
Thats because i do not want to get in trouble with the little "t" in %t wich is
r
Bernd Dietzel added the comment:
What i do is the last doc is like this :
1) Replace the filename with a random name
2) Run mailcap.findmatch() with the random name
3) If exists, replace the quote characters ' before and behind the random name
with nothing.
4) Now the random name h
Bernd Dietzel added the comment:
# for the docs ... quoting of the filename when you call mailcap.findmatch()
f=";xterm;#.txt" # Shell Command Demo ... xterm will run if quote() fails
import mailcap
import random
try:
from shlex import quote
except ImportError:
from pipes impo
Bernd Dietzel added the comment:
Yes changing the docs is a good idea.
I was thinking about a patch :
import os
### patch
import random
try:
from shlex import quote
except ImportError:
from pipes import quote
###
... and so on
# Part 3: using the database.
def
Bernd Dietzel added the comment:
Exploid Demo wich works with quote() :
>>> commandline,MIMETYPE=mailcap.findmatch(d, 'text/*',
>>> filename=quote(';xterm;#.txt'))
>>> commandline
"less '&#x
Bernd Dietzel added the comment:
@David
Thanks for the comment :-)
I think if you read the Documentation
https://docs.python.org/2/library/mailcap.html
this may lead new programmers, wich may never heard of Shell Injections before,
step by step directly to write insecure webbbrowsers and/or
Bernd Dietzel added the comment:
Maybe it would be a good idea to do so as run-mailcap does :
theregrunner@mint17 : ~ € run-mailcap --debug "';xterm;#'.txt"
- parsing parameter "';xterm;#'.txt"
- Reading mime.types file "/etc/mime.types"..
New submission from Bernd Dietzel:
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.
Filename should be quoted with quote(filename) to fix the bug.
https://docs.python.org/2/library/mailcap.html
"mailcap.findmatch(
13 matches
Mail list logo
