Properly escape shell commands
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Remote Apache Management tool |
Fix Released
|
High
|
TAC one |
Bug Description
Bash commands are not properly escaped. This could (and will) lead to problems with filesystem paths containing spaces as well as big security holes that could lead in bash code injection (and mind - we run a lot of commands with root privileges).
How to get better:
- review code and properly escape bash commands [1]
- blacklist certain characters we don't plan to support in filesystem paths (double quotes - " - for example)
- centralize bash commands execution into a specific class/pypackage to improve security mantainability
- review code and make sure there are no unescaped user input sources anymore.
[1] From #python
(07:00:05 PM) rgl: is there some function that escapes shell arguments? (nb: I don't want to use the exec* functions, I want to run remote commands)
(07:00:27 PM) tacone: rgl: I am interested to know that too .-)
(07:00:46 PM) Yhg1s: rgl: commands.mkarg is the closest.
(07:00:57 PM) Yhg1s: but it really depends on this remote shell.
(07:01:06 PM) Yhg1s: since that defines how something should be escaped.
(07:01:16 PM) rgl: tacone, I already made one, but it only works for bash/sh. it only translates ' => '\''
Changed in rapache: | |
importance: | Undecided → High |
milestone: | none → stage0 |
status: | New → Triaged |
http:// docs.python. org/lib/ module- subprocess. html