oss-sec mailing list archives
Re: CVE request: python-gnupg before 0.3.5 shell injection
From: Henri Salo <henri () nerv fi>
Date: Tue, 4 Feb 2014 12:04:01 +0200
On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote:
python-gnupg 0.3.5 lists in the changelog: "Added improved shell quoting to guard against shell injection." Sounds like a severe security issue, but further info is lacking.
Diff attached. New function shell_quote() seems to represent major changes to
shell input quoting against unsafe input.
+# We use the test below because it works for Jython as well as CPython
+if os.path.__name__ == 'ntpath':
+ # On Windows, we don't need shell quoting, other than worrying about
+ # paths with spaces in them.
+ def shell_quote(s):
+ return '"%s"' % s
+else:
+ # Section copied from sarge
+
+ # This regex determines which shell input needs quoting
+ # because it may be unsafe
+ UNSAFE = re.compile(r'[^\w%+,./:=@-]')
+
+ def shell_quote(s):
+ """
+ Quote text so that it is safe for Posix command shells.
+
+ For example, "*.py" would be converted to "'*.py'". If the text is
+ considered safe it is returned unquoted.
+
+ :param s: The value to quote
+ :type s: str (or unicode on 2.x)
+ :return: A safe version of the input, from the point of view of Posix
+ command shells
+ :rtype: The passed-in type
+ """
+ if not isinstance(s, string_types):
+ raise TypeError('Expected string type, got %s' % type(s))
+ if not s:
+ result = "''"
+ elif len(s) >= 2 and (s[0], s[-1]) == ("'", "'"):
+ result = '"%s"' % s.replace('"', r'\"')
+ elif not UNSAFE.search(s):
+ result = s
+ else:
+ result = "'%s'" % s.replace("'", "'\"'\"'")
+ return result
+
+ # end of sarge code
---
Henri Salo
Attachment:
python-gnupg.diff
Description:
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: python-gnupg before 0.3.5 shell injection Hanno Böck (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
- Re: Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 05)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection cve-assign (Feb 09)
