Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2014-September/136485.html below:

[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steven D'Aprano <steve at pearwood.info>:

> Perhaps I'm missing something, but aren't there easier ways to attack 
> os.system than the bash env vulnerability?

The main concern is the cases where you provide a service accessible
through an SSH login and try to sandbox the client with limited
functionality. SSH passes some environment variables on to the service
which can then be used as an XSS vector.

For example, if you wrote an SVN server's SSH front end with Python and
used subprocess.Popen(shell=True) to execute the SVN operations, you
could become a victim.


Marko

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4