platform.py uses os.popen command
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python3.5 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Uses depreached os.popen command.
Shell Code can be injected, see example below.
Replace it with subprocess please.
file :
/usr/lib/
line 416:
return os.popen(cmd, mode, bufsize)
Example which starts the program xeyes but should not :
~$ python
Python 2.7.11+ (default, Feb 22 2016, 16:38:42)
[GCC 5.3.1 20160222] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import platform
>>> filename = 'bad file ;xeyes;# name.png'
>>> platform.popen('ls %s' %filename)
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libpython3.
ProcVersionSign
Uname: Linux 4.4.0-7-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Feb 27 07:16:55 2016
InstallationDate: Installed on 2016-02-22 (4 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160219)
SourcePackage: python3.5
UpgradeStatus: No upgrade log present (probably fresh install)