[issue25751] ctypes.util , Shell Injection in find_library()
Martin Panter
report at bugs.python.org
Mon Nov 30 20:54:54 EST 2015
Martin Panter added the comment:
I do not believe 3.5 is fixed either:
$ python3.5
Python 3.5.0 (default, Sep 20 2015, 11:28:25)
[GCC 5.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes.util
>>> ctypes.util.find_library("; echo Hello shell >&2")
Hello shell
>>>
Issue 22636 has a patch with some review comments, but is is still open. I think it needs someone to take another look, perhaps update the patch, and get it committed.
I will mark the other issue as a bug fix for 2.7 and 3.4+.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue25751>
_______________________________________
More information about the Python-bugs-list
mailing list