Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 Feb 2014 15:29:24 +0100
From: Florian Weimer <fweimer@...hat.com>
To: Henri Salo <henri@...v.fi>, oss-security@...ts.openwall.com
CC: Matthew Daley <mattd@...fuzz.com>
Subject: Re: CVE request: python-gnupg before 0.3.5 shell injection

On 02/04/2014 02:50 PM, Henri Salo wrote:
> Upstream has made new version for testing. Please do comment if you have time. I
> will also test that later and maybe provide more unit tests.
>
> https://code.google.com/p/python-gnupg/issues/detail?id=98#c4

I can't create a Google account right now.

This:
         if not s:
             result = "''"
         elif len(s) >= 2 and (s[0], s[-1]) == ("'", "'"):
             result = '"%s"' % s.replace('"', r'\"').replace("'", r"'\''")
         elif not UNSAFE.search(s):
             result = s
         else:
             result = "'%s'" % s.replace("'", r"'\''")
         return result

should be:

	return "'" + s.replace("'"', r"'\''")  + "'"

If I write "wrap them in ''", I mean single quotes, not double quotes. 
Those behave differently in shell.

If upstream really wants to strip the outer '', it can use this instead:

	if s[:1] == "'" and s[-1:] == "'":
	    s = s[1:-1]
	return "'" + s.replace("'"', r"'\''")  + "'"

Again, this may or may not be safe in some Far-Eastern locales.

-- 
Florian Weimer / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ