Date: Tue, 4 Feb 2014 12:04:01 +0200 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Subject: Re: CVE request: python-gnupg before 0.3.5 shell injection On Tue, Feb 04, 2014 at 10:35:46AM +0100, Hanno Böck wrote: > python-gnupg 0.3.5 lists in the changelog: > "Added improved shell quoting to guard against shell injection." > > Sounds like a severe security issue, but further info is lacking. Diff attached. New function shell_quote() seems to represent major changes to shell input quoting against unsafe input. +# We use the test below because it works for Jython as well as CPython +if os.path.__name__ == 'ntpath': + # On Windows, we don't need shell quoting, other than worrying about + # paths with spaces in them. + def shell_quote(s): + return '"%s"' % s +else: + # Section copied from sarge + + # This regex determines which shell input needs quoting + # because it may be unsafe + UNSAFE = re.compile(r'[^\w%+,./:=@-]') + + def shell_quote(s): + """ + Quote text so that it is safe for Posix command shells. + + For example, "*.py" would be converted to "'*.py'". If the text is + considered safe it is returned unquoted. + + :param s: The value to quote + :type s: str (or unicode on 2.x) + :return: A safe version of the input, from the point of view of Posix + command shells + :rtype: The passed-in type + """ + if not isinstance(s, string_types): + raise TypeError('Expected string type, got %s' % type(s)) + if not s: + result = "''" + elif len(s) >= 2 and (s, s[-1]) == ("'", "'"): + result = '"%s"' % s.replace('"', r'\"') + elif not UNSAFE.search(s): + result = s + else: + result = "'%s'" % s.replace("'", "'\"'\"'") + return result + + # end of sarge code --- Henri Salo View attachment "python-gnupg.diff" of type "text/x-diff" (17476 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ