Ubuntu
python3.5 package

platform.py uses os.popen command

Bug #1550653 reported by Bernd Dietzel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python3.5 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Uses depreached os.popen command.
Shell Code can be injected, see example below.
Replace it with subprocess please.

file :
/usr/lib/python3.5/platform.py

line 416:
    return os.popen(cmd, mode, bufsize)

Example which starts the program xeyes but should not :

~$ python
Python 2.7.11+ (default, Feb 22 2016, 16:38:42)
[GCC 5.3.1 20160222] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import platform
>>> filename = 'bad file ;xeyes;# name.png'
>>> platform.popen('ls %s' %filename)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libpython3.5-minimal 3.5.1-6ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-7.22-generic 4.4.2
Uname: Linux 4.4.0-7-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Feb 27 07:16:55 2016
InstallationDate: Installed on 2016-02-22 (4 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160219)
SourcePackage: python3.5
UpgradeStatus: No upgrade log present (probably fresh install)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.