On 30.11.2015 18:45, Bernd Dietzel wrote:
> I'm not happy with shlex.split.
> It could split the commandline into unwanted additional arguments.
>
> Example with a unwanted help argument in a path :
>
> theregrunner@PC:~$ python
> Python 2.7.10 (default, Oct 14 2015, 16:09:02)
> [GCC 5.2.1 20151010] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
>>>> commandline = '%s "ls -l %s"' % ('program' , '/tmp/" "--help')
>>>> commandline
> 'program "ls -l /tmp/" "--help"'
>>>> import shlex
>>>> args = shlex.split(commandline)
>>>> args
> ['program', 'ls -l /tmp/', '--help']
>>>>
can you see a security implication? worst case afaics is breakage.
actually backends had to have the parameters properly quoted already. if not they wouldn't work with spaces or other special chars. not sure that all were tested against these corner cases though.
On 30.11.2015 18:45, Bernd Dietzel wrote: commandline)
> I'm not happy with shlex.split.
> It could split the commandline into unwanted additional arguments.
>
> Example with a unwanted help argument in a path :
>
> theregrunner@PC:~$ python
> Python 2.7.10 (default, Oct 14 2015, 16:09:02)
> [GCC 5.2.1 20151010] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
>>>> commandline = '%s "ls -l %s"' % ('program' , '/tmp/" "--help')
>>>> commandline
> 'program "ls -l /tmp/" "--help"'
>>>> import shlex
>>>> args = shlex.split(
>>>> args
> ['program', 'ls -l /tmp/', '--help']
>>>>
can you see a security implication? worst case afaics is breakage.
actually backends had to have the parameters properly quoted already. if not they wouldn't work with spaces or other special chars. not sure that all were tested against these corner cases though.
..ede/duply.net