Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] Tools/scripts/get-remote-certificate.py is vulnerable to shell code injection #97612

Closed
vstinner opened this issue Sep 28, 2022 · 3 comments
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@vstinner
Copy link
Member

vstinner commented Sep 28, 2022

The Tools/scripts/get-remote-certificate.py script is vulnerable to shell code injection. This vulnerability was reported by Caleb Shortt (@calebshortt).

@calebshortt proposed PR #96014 to fix it.

@vstinner vstinner added type-bug An unexpected behavior, bug, or error type-security A security issue labels Sep 28, 2022
@vstinner
Copy link
Member Author

vstinner commented Sep 28, 2022

Example:

$ ./python Tools/scripts/get-remote-certificate.py 'localhost"||echo 1 > /tmp/marker #:80'
(...)

$ cat /tmp/marker 
1

@vstinner vstinner changed the title [security][CVE-2022-37460] Tools/scripts/get-remote-certificate.py is vulnerable to shell code injection [security] Tools/scripts/get-remote-certificate.py is vulnerable to shell code injection Sep 28, 2022
@vstinner
Copy link
Member Author

vstinner commented Sep 28, 2022

I removed mention of CVE-2022-37460: it was withdrawn according to @gpshead.

vstinner pushed a commit to vstinner/cpython that referenced this issue Sep 28, 2022
Fix a shell code injection vulnerability in the
Tools/scripts/get-remote-certificate.py script. The script no longer
uses a shell to run "openssl" commands. Issue reported and initial
fix by Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
vstinner pushed a commit to vstinner/cpython that referenced this issue Sep 28, 2022
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
vstinner pushed a commit to vstinner/cpython that referenced this issue Sep 28, 2022
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
vstinner pushed a commit to vstinner/cpython that referenced this issue Sep 28, 2022
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
vstinner added a commit that referenced this issue Sep 28, 2022
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 28, 2022
…honGH-97613)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 28, 2022
…honGH-97613)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 28, 2022
…honGH-97613)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 28, 2022
…honGH-97613)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
vstinner added a commit to vstinner/cpython that referenced this issue Sep 28, 2022
…hon#97613)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)
miss-islington added a commit that referenced this issue Sep 28, 2022
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
miss-islington added a commit that referenced this issue Sep 28, 2022
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
@vstinner
Copy link
Member Author

vstinner commented Sep 29, 2022

I created https://discuss.python.org/t/remove-outdated-tools-scripts-scripts/19571 discussion to propose removing outdated example scripts.

ambv pushed a commit that referenced this issue Oct 4, 2022
…97613) (GH-97632)

gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
ambv pushed a commit that referenced this issue Oct 4, 2022
…97613) (GH-97633)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)

Co-authored-by: Victor Stinner <vstinner@python.org>
ambv pushed a commit that referenced this issue Oct 5, 2022
) (#97634)

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44)
@vstinner vstinner closed this as completed Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Development

No branches or pull requests

1 participant