Login | Register
My pages Projects Community openCollabNet

Discussions > issues > [Issue 202] New - CVE-2015-0853: insecure use of os.system()

pysvn
Discussion topic

Back to topic list

[Issue 202] New - CVE-2015-0853: insecure use of os.system()

Author lfaraone
Full name Luke Faraone
Date 2015-09-13 09:42:52 PDT
Message http://pysvn.tigris.​org/issues/show_bug.​cgi?id=202
                 Issue #|202
                 Summary|CVE-2015-0853: insecure use of os.system()
               Component|pysvn
                 Version|1.6.1
                Platform|All
              OS/Version|Linux
                     URL|
                  Status|NEW
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|DEFECT
                Priority|P2
            Subcomponent|workbench
             Assigned to|barryscott
             Reported by|lfaraone






------- Additional comments from lfaraone at tigris dot org Sun Sep 13 09:42:52 -0700 2015 -------
SYNOPSIS:
        If a user was tricked into using the "Command Shell" menu item
        while in a directory with a specially-crafted name,
        svn-workbench would execute arbitrary commands with the
        permissions of the user.

STEPS TO REPRODUCE:
     1. Add "https://github.com/l​faraone/turbulent-oc​to-garbanzo" as a
        project in svn-workbench
     2. Checkout the project
     3. Navigate to "trunk/$(xeyes)"
     4. Click "Actions", then "Command Shell"

The `xeyes` program (if installed on your system) should start.

Source/wb_shell_unix​_commands.py starting at line 53:
        def ShellOpen( app, project_info, filename ):
            app.log.info( T_('Open %s') % filename )
            cur_dir = os.getcwd()
            try:

        wb_platform_specific.uChdir( project_info.getWorkingDir() )
                os.system( "xdg-open '%s'" % filename )
            finally:
                wb_platform_specific.uChdir( cur_dir )

The code should instead start a subprocess in a secure way, such as
using subprocess.call().

« Previous message in topic | 1 of 3 | Next message in topic »

Messages

Show all messages in topic

[Issue 202] New - CVE-2015-0853: insecure use of os.system() lfaraone Luke Faraone 2015-09-13 09:42:52 PDT
     [Issue 202] CVE-2015-0853: insecure use of os.system() barryscott Barry Scott 2015-09-13 10:38:29 PDT
     [Issue 202] CVE-2015-0853: insecure use of os.system() barryscott Barry Scott 2015-11-05 07:33:22 PST
Messages per page: