Ubuntu
python2.7 package

pydoc.py uses old netscape navigator

Bug #1462470 reported by Bernd Dietzel on 2015-06-05

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python2.7 (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

File :
/usr/lib/python2.7/pydoc.py

line : 2216 ... 2226

pydoc.py uses old netscape navigator when the webbrowser module can not be imported:

And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter "url".

code :

        def open(self, event=None, url=None):
            url = url or self.server.url
            try:
                import webbrowser
                webbrowser.open(url)
            except ImportError: # pre-webbrowser.py compatibility
                if sys.platform == 'win32':
                    os.system('start "%s"' % url)
                else:
                    rc = os.system('netscape -remote "openURL(%s)" &' % url)
                    if rc: os.system('netscape "%s" &' % url)

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)

Tags:

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2015-06-05:

Dependencies.txt Edit (1.1 KiB, text/plain; charset="utf-8")
JournalErrors.txt Edit (19.2 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (103 bytes, text/plain; charset="utf-8")

Bernd Dietzel (l-ubuntuone1104) on 2015-06-30

information type:

Public → Public Security

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-07-02:

Hi Bernd - Thanks for the report!

I don't see a way for an attacker to inject command line arguments for a couple of reasons:

1) On Ubuntu, webbrowser is always available. It is provided by libpython2.7-stdlib, which python2.7 depends on.

2) You can't provide arbitrary URLs. The GUI version of pydoc pops up a TK-based dialogue. If you click 'open browser', open() is called with a url=None. If you search for a keyword, it has to exist and be selectable in the search results before you can click 'go to selected'. I don't see a way to pass an arbitrary, malicious URL.

3) Even if #1 and #2 above were not mitigating factors, an attacker would have to trick the user into launching pydoc in graphical mode, then search for a specially crafted keyword, and then click 'go to selected'. There are easier ways to trick users into doing things that open them up to attacks.

I suggest that you work with upstream Python to get this issue fixed if you're worried about non-Ubuntu platforms where this might be a security issue.

Changed in python2.7 (Ubuntu):
status:	New → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntupython2.7 package