mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-16 05:36:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613)

Browse source 
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44ffd)

Co-authored-by: Victor Stinner <vstinner@python.org>
This commit is contained in:
Miss Islington (bot) 2022-09-28 16:46:11 -07:00 committed by GitHub
parent 7d60d10b63
commit 94582bb643
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst Normal file
View file

@ -0,0 +1,3 @@
Fix a shell code injection vulnerability in the ``get-remote-certificate.py``
example script. The script no longer uses a shell to run ``openssl`` commands.
Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

25
Tools/scripts/get-remote-certificate.py
View file

@ -15,8 +15,8 @@ import tempfile
def fetch_server_certificate (host, port): def fetch_server_certificate (host, port):
def subproc(cmd): def subproc(cmd):
from subprocess import Popen, PIPE, STDOUT from subprocess import Popen, PIPE, STDOUT, DEVNULL
proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True) proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL)
status = proc.wait() status = proc.wait()
output = proc.stdout.read() output = proc.stdout.read()
return status, output return status, output
@ -33,8 +33,8 @@ def fetch_server_certificate (host, port):
fp.write(m.group(1) + b"\n") fp.write(m.group(1) + b"\n")
try: try:
tn2 = (outfile or tempfile.mktemp()) tn2 = (outfile or tempfile.mktemp())
status, output = subproc(r'openssl x509 -in "%s" -out "%s"' % cmd = ['openssl', 'x509', '-in', tn, '-out', tn2]
(tn, tn2)) status, output = subproc(cmd)
if status != 0: if status != 0:
raise RuntimeError('OpenSSL x509 failed with status %s and ' raise RuntimeError('OpenSSL x509 failed with status %s and '
'output: %r' % (status, output)) 'output: %r' % (status, output))
@ -45,20 +45,9 @@ def fetch_server_certificate (host, port):
finally: finally:
os.unlink(tn) os.unlink(tn)
if sys.platform.startswith("win"): cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts']
tfile = tempfile.mktemp() status, output = subproc(cmd)
with open(tfile, "w") as fp:
fp.write("quit\n")
try:
status, output = subproc(
'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
(host, port, tfile))
finally:
os.unlink(tfile)
else:
status, output = subproc(
'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
(host, port))
if status != 0: if status != 0:
raise RuntimeError('OpenSSL connect failed with status %s and ' raise RuntimeError('OpenSSL connect failed with status %s and '
'output: %r' % (status, output)) 'output: %r' % (status, output))