pydoc.py uses old netscape navigator
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python2.7 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
File :
/usr/lib/
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can not be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter "url".
code :
def open(self, event=None, url=None):
url = url or self.server.url
try:
except ImportError: # pre-webbrowser.py compatibility
if sys.platform == 'win32':
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSign
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelMo
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)
information type: | Public → Public Security |
Hi Bernd - Thanks for the report!
I don't see a way for an attacker to inject command line arguments for a couple of reasons:
1) On Ubuntu, webbrowser is always available. It is provided by libpython2. 7-stdlib, which python2.7 depends on.
2) You can't provide arbitrary URLs. The GUI version of pydoc pops up a TK-based dialogue. If you click 'open browser', open() is called with a url=None. If you search for a keyword, it has to exist and be selectable in the search results before you can click 'go to selected'. I don't see a way to pass an arbitrary, malicious URL.
3) Even if #1 and #2 above were not mitigating factors, an attacker would have to trick the user into launching pydoc in graphical mode, then search for a specially crafted keyword, and then click 'go to selected'. There are easier ways to trick users into doing things that open them up to attacks.
I suggest that you work with upstream Python to get this issue fixed if you're worried about non-Ubuntu platforms where this might be a security issue.