shell code injection in lftp backend

Bug #1529606 reported by Bernd Dietzel on 2015-12-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Duplicity
Low
Unassigned

Bug Description

The lftpbackend.py can start a shell command in the backup path name, but should not.

Examples which start the program xeyes:
================================

duplicity /home "ftps://127.0.0.1:2121/backup';shell xeyes;'/test"

duplicity /home "ftps://127.0.0.1:2121/backup' ||shell xeyes||ls '"

edso (ed.so) wrote :

more or less a duplicate of
 https://bugs.launchpad.net/duplicity/+bug/1520691

demonstrating that shell parameters should be properly escaped before used in a commandline for backend.subprocess_popen()

this is a bug and needs to be fixed in all shell based backends, which will be some effort.

security-wise the severity is low (although Bernd might disagree):
this can be used to run a second process with the users permissions if the user can be tricked to use a specially crafted url. experience tells us that our users use scripts to run duplicity and enter the url once. copying something from somewhere untrusted and pasting to the commandline is a bad idea at any time.

..ede/duply.net

Changed in duplicity:
status: New → Confirmed
importance: Undecided → Low

At the point we get the source or destination paths, shlex.quote() could be
used to safely quote the path parts. Since this does not appear possible
in the hostname or the schema parts, we should be safe to rebuild the URL
with the quoted path. Gonna have to play with it a bit.

On Mon, Dec 28, 2015 at 6:49 AM, edso <email address hidden> wrote:

> more or less a duplicate of
> https://bugs.launchpad.net/duplicity/+bug/1520691
>
> demonstrating that shell parameters should be properly escaped before
> used in a commandline for backend.subprocess_popen()
>
> this is a bug and needs to be fixed in all shell based backends, which
> will be some effort.
>
> security-wise the severity is low (although Bernd might disagree):
> this can be used to run a second process with the users permissions if the
> user can be tricked to use a specially crafted url. experience tells us
> that our users use scripts to run duplicity and enter the url once. copying
> something from somewhere untrusted and pasting to the commandline is a bad
> idea at any time.
>
> ..ede/duply.net
>
> ** Changed in: duplicity
> Status: New => Confirmed
>
> ** Changed in: duplicity
> Importance: Undecided => Low
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1529606
>
> Title:
> shell code injection in lftp backend
>
> Status in Duplicity:
> Confirmed
>
> Bug description:
> The lftpbackend.py can start a shell command in the backup path name,
> but should not.
>
> Examples which start the program xeyes:
> ================================
>
> duplicity /home "ftps://127.0.0.1:2121/backup';shell xeyes;'/test"
>
> duplicity /home "ftps://127.0.0.1:2121/backup' ||shell xeyes||ls '"
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1529606/+subscriptions
>

Bernd Dietzel (l-ubuntuone1104) wrote :

@Kenneth
quote() is a good idea. Think about python2 and python3.

try:
    from shlex import quote
except ImportError:
    from pipes import quote

Please do not forget to exchange the '%s' into %s in the backends so you get no double-quoting problems.

@edso
I hope that the user script does not request a new url automatically when the ftps server is full or offline ;-)

Thank you :-)

shlex.quote() is available for Python2.6 and up, and for Python3.x and up,
so no need for pipes.

On Mon, Dec 28, 2015 at 8:31 AM, Bernd Dietzel <email address hidden>
wrote:

> @Kenneth
> quote() is a good idea. Think about python2 and python3.
>
> try:
> from shlex import quote
> except ImportError:
> from pipes import quote
>
> Please do not forget to exchange the '%s' into %s in the backends so you
> get no double-quoting problems.
>
>
> @edso
> I hope that the user script does not request a new url automatically when
> the ftps server is full or offline ;-)
>
> Thank you :-)
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1529606
>
> Title:
> shell code injection in lftp backend
>
> Status in Duplicity:
> Confirmed
>
> Bug description:
> The lftpbackend.py can start a shell command in the backup path name,
> but should not.
>
> Examples which start the program xeyes:
> ================================
>
> duplicity /home "ftps://127.0.0.1:2121/backup';shell xeyes;'/test"
>
> duplicity /home "ftps://127.0.0.1:2121/backup' ||shell xeyes||ls '"
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1529606/+subscriptions
>

lftpbackend.py has been fixed. The rest have not.

Changed in duplicity:
assignee: nobody → Kenneth Loafman (kenneth-loafman)
milestone: none → 0.7.07
status: Confirmed → In Progress

All popen commands go through backend.subprocess_popen() which takes care of quoting before shelling out.

Changed in duplicity:
status: In Progress → Fix Committed
assignee: Kenneth Loafman (kenneth-loafman) → nobody
Changed in duplicity:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers