insecure use of os.system()

Bug #1495268 reported by Luke Faraone on 2015-09-13
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pysvn
Fix Released
Low
svn-workbench (Debian)
Fix Released
Unknown
svn-workbench (Ubuntu)
Medium
Unassigned

Bug Description

SYNOPSIS:
        If a user was tricked into using the "Command Shell" menu item
        while in a directory with a specially-crafted name,
        svn-workbench would execute arbitrary commands with the
        permissions of the user.

STEPS TO REPRODUCE:
     1. Add "https://github.com/lfaraone/turbulent-octo-garbanzo" as a
        project in svn-workbench
     2. Checkout the project
     3. Navigate to "trunk/$(xeyes)"
     4. Click "Actions", then "Command Shell"

The `xeyes` program (if installed on your system) should start.

Source/wb_shell_unix_commands.py starting at line 53:
        def ShellOpen( app, project_info, filename ):
            app.log.info( T_('Open %s') % filename )
            cur_dir = os.getcwd()
            try:

        wb_platform_specific.uChdir( project_info.getWorkingDir() )
                os.system( "xdg-open '%s'" % filename )
            finally:
                wb_platform_specific.uChdir( cur_dir )

The code should instead start a subprocess in a secure way, such as
using subprocess.call().

CVE References

Luke Faraone (lfaraone) on 2015-09-13
information type: Private Security → Public Security
Changed in svn-workbench (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in pysvn:
importance: Unknown → Low
status: Unknown → In Progress
Changed in svn-workbench (Debian):
status: Unknown → Confirmed
Changed in pysvn:
status: In Progress → Fix Released
Changed in svn-workbench (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.