oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: python-gnupg before 0.3.5 shell injection

From: Florian Weimer <fweimer () redhat com>
Date: Tue, 04 Feb 2014 15:29:24 +0100
On 02/04/2014 02:50 PM, Henri Salo wrote:

Upstream has made new version for testing. Please do comment if you have time. I
will also test that later and maybe provide more unit tests.

https://code.google.com/p/python-gnupg/issues/detail?id=98#c4


I can't create a Google account right now.

This:
        if not s:
            result = "''"
        elif len(s) >= 2 and (s[0], s[-1]) == ("'", "'"):
            result = '"%s"' % s.replace('"', r'\"').replace("'", r"'\''")
        elif not UNSAFE.search(s):
            result = s
        else:
            result = "'%s'" % s.replace("'", r"'\''")
        return result

should be:

        return "'" + s.replace("'"', r"'\''")  + "'"
If I write "wrap them in ''", I mean single quotes, not double quotes. Those behave differently in shell. 

If upstream really wants to strip the outer '', it can use this instead:

        if s[:1] == "'" and s[-1:] == "'":
            s = s[1:-1]
        return "'" + s.replace("'"', r"'\''")  + "'"

Again, this may or may not be safe in some Far-Eastern locales.

--
Florian Weimer / Red Hat Product Security Team
Previous By Date Next
Previous By Thread Next

Current thread: