[Python-checkins] gh-97612: Fix shell injection in get-remote-certificate.py (#97613)
vstinner
webhook-mailer at python.org
Wed Sep 28 19:17:35 EDT 2022
https://github.com/python/cpython/commit/83a0f44ffd8b398673ae56c310cf5768d359c341
commit: 83a0f44ffd8b398673ae56c310cf5768d359c341
branch: main
author: Victor Stinner <vstinner at python.org>
committer: vstinner <vstinner at python.org>
date: 2022-09-29T01:17:27+02:00
summary:
gh-97612: Fix shell injection in get-remote-certificate.py (#97613)
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.
Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
Co-authored-by: Caleb Shortt <caleb at rgauge.com>
files:
A Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
M Tools/scripts/get-remote-certificate.py
diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
new file mode 100644
index 000000000000..2f113492d42d
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
@@ -0,0 +1,3 @@
+Fix a shell code injection vulnerability in the ``get-remote-certificate.py``
+example script. The script no longer uses a shell to run ``openssl`` commands.
+Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.
diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py
index 38901286e19a..68272fca83fe 100755
--- a/Tools/scripts/get-remote-certificate.py
+++ b/Tools/scripts/get-remote-certificate.py
@@ -15,8 +15,8 @@
def fetch_server_certificate (host, port):
def subproc(cmd):
- from subprocess import Popen, PIPE, STDOUT
- proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
+ from subprocess import Popen, PIPE, STDOUT, DEVNULL
+ proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL)
status = proc.wait()
output = proc.stdout.read()
return status, output
@@ -33,8 +33,8 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
fp.write(m.group(1) + b"\n")
try:
tn2 = (outfile or tempfile.mktemp())
- status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
- (tn, tn2))
+ cmd = ['openssl', 'x509', '-in', tn, '-out', tn2]
+ status, output = subproc(cmd)
if status != 0:
raise RuntimeError('OpenSSL x509 failed with status %s and '
'output: %r' % (status, output))
@@ -45,20 +45,9 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
finally:
os.unlink(tn)
- if sys.platform.startswith("win"):
- tfile = tempfile.mktemp()
- with open(tfile, "w") as fp:
- fp.write("quit\n")
- try:
- status, output = subproc(
- 'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
- (host, port, tfile))
- finally:
- os.unlink(tfile)
- else:
- status, output = subproc(
- 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
- (host, port))
+ cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts']
+ status, output = subproc(cmd)
+
if status != 0:
raise RuntimeError('OpenSSL connect failed with status %s and '
'output: %r' % (status, output))
More information about the Python-checkins
mailing list