shell code injection in lftp backend
Bug #1529606 reported by
Bernd Dietzel
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Duplicity |
Fix Released
|
Low
|
Unassigned |
Bug Description
The lftpbackend.py can start a shell command in the backup path name, but should not.
Examples which start the program xeyes:
=======
duplicity /home "ftps:/
duplicity /home "ftps:/
Changed in duplicity: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
more or less a duplicate of /bugs.launchpad .net/duplicity/ +bug/1520691
https:/
demonstrating that shell parameters should be properly escaped before used in a commandline for backend. subprocess_ popen()
this is a bug and needs to be fixed in all shell based backends, which will be some effort.
security-wise the severity is low (although Bernd might disagree):
this can be used to run a second process with the users permissions if the user can be tricked to use a specially crafted url. experience tells us that our users use scripts to run duplicity and enter the url once. copying something from somewhere untrusted and pasting to the commandline is a bad idea at any time.
..ede/duply.net