oss-sec mailing list archives
Re: CVE request: python-gnupg before 0.3.5 shell injection
From: Florian Weimer <fweimer () redhat com>
Date: Tue, 04 Feb 2014 15:29:24 +0100
On 02/04/2014 02:50 PM, Henri Salo wrote:
Upstream has made new version for testing. Please do comment if you have time. I will also test that later and maybe provide more unit tests. https://code.google.com/p/python-gnupg/issues/detail?id=98#c4
I can't create a Google account right now. This: if not s: result = "''" elif len(s) >= 2 and (s[0], s[-1]) == ("'", "'"): result = '"%s"' % s.replace('"', r'\"').replace("'", r"'\''") elif not UNSAFE.search(s): result = s else: result = "'%s'" % s.replace("'", r"'\''") return result should be: return "'" + s.replace("'"', r"'\''") + "'"If I write "wrap them in ''", I mean single quotes, not double quotes. Those behave differently in shell.
If upstream really wants to strip the outer '', it can use this instead: if s[:1] == "'" and s[-1:] == "'": s = s[1:-1] return "'" + s.replace("'"', r"'\''") + "'" Again, this may or may not be safe in some Far-Eastern locales. -- Florian Weimer / Red Hat Product Security Team
Current thread:
- CVE request: python-gnupg before 0.3.5 shell injection Hanno Böck (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
- Re: Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 05)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection cve-assign (Feb 09)
- Re: Re: CVE request: python-gnupg before 0.3.5 shell injection Simon McVittie (Feb 10)
- Re: CVE request: python-gnupg before 0.3.5 shell injection cve-assign (Feb 12)