Comment 13 for bug 1520691

Revision history for this message
edso (ed.so) wrote : Re: [Duplicity-team] [Bug 1520691] Re: Shell Code Injection in hsi backend

On 30.11.2015 18:45, Bernd Dietzel wrote:
> I'm not happy with shlex.split.
> It could split the commandline into unwanted additional arguments.
>
> Example with a unwanted help argument in a path :
>
> theregrunner@PC:~$ python
> Python 2.7.10 (default, Oct 14 2015, 16:09:02)
> [GCC 5.2.1 20151010] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
>>>> commandline = '%s "ls -l %s"' % ('program' , '/tmp/" "--help')
>>>> commandline
> 'program "ls -l /tmp/" "--help"'
>>>> import shlex
>>>> args = shlex.split(commandline)
>>>> args
> ['program', 'ls -l /tmp/', '--help']
>>>>

can you see a security implication? worst case afaics is breakage.

 actually backends had to have the parameters properly quoted already. if not they wouldn't work with spaces or other special chars. not sure that all were tested against these corner cases though.

..ede/duply.net