heat-cfntools

Don't run Commands from AWS::CloudFormation::Init on shell when given as list

Bug #1498300 reported by Anant Patil on 2015-09-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	heat-cfntools	Fix Released	Medium	Zane Bitter	heat-cfntools v1.4.2

Bug Description

When the commands are given as list in AWS::CloudFormation::Init, just run them without using the shell. By default, the external commands (commands either from AWS::CloudFormation::Init or cfn-hooks) are run on shell. Usually these commands are given as if typed on a shell. But in case the command given in AWS::CloudFormation::Init is supplied as a list, it should be run without shell.

Revision history for this message

Anant Patil (ananta) wrote on 2015-09-22:

Reference: https://review.openstack.org/#/c/222554/2..4/heat_cfntools/cfntools/cfn_helper.py

Changed in heat-cfntools:
assignee:	nobody → Anant Patil (ananta)

Zane Bitter (zaneb) on 2015-09-22

Changed in heat-cfntools:
status:	New → Triaged
importance:	Undecided → Critical
importance:	Critical → Medium

Anant Patil (ananta) on 2015-09-23

summary:

- Don't run Commands from AWS::CloudFormation::Init when given as list
+ Don't run Commands from AWS::CloudFormation::Init on shell when given as
+ list

OpenStack Infra (hudson-openstack) on 2015-09-24

Changed in heat-cfntools:
assignee:	Anant Patil (ananta) → Zane Bitter (zaneb)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-24: Fix merged to heat-cfntools (master)

Reviewed: https://review.openstack.org/226631
Committed: https://git.openstack.org/cgit/openstack/heat-cfntools/commit/?id=6571e5ab646f55ba9411f5a668c5224203a08707
Submitter: Jenkins
Branch: master

commit 6571e5ab646f55ba9411f5a668c5224203a08707
Author: Anant Patil <email address hidden>
Date: Wed Sep 23 11:56:05 2015 +0530

Don't run commands given as list on shell

    Commands from AWS::CloudFormation::Init, when supplied as list, should
    be run with shell=False. Only when commands are given as string, they
    are meant to be run on shell.

In principle, we are trying to give least access to the shell to avoid
any inadvertent shell injections.

Change-Id: I3dc6fe0c29a14f75be044846f737e1ade23a6d6b
Closes-Bug: 1498300

Changed in heat-cfntools:
status:	In Progress → Fix Committed

Steve Baker (steve-stevebaker) on 2016-01-21

Changed in heat-cfntools:
milestone:	none → v1.4.2

Zane Bitter (zaneb) on 2016-12-21

Changed in heat-cfntools:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.