the importance of using safe interprocess communication
Fri, 8 Feb 2002 03:46:01 -0800
Ben Escoto wrote:
> Hmm, how is the patched version vulnerable to security holes?
I don't think it is as long as /bin/sh -c behaves how you expect it
to, your environment is what you think it is, etc. Using a Popen3
class would let you capture the errors from the system call, something
which should always be done, *especially* when the program runs with
elevated privileges. Granted it might be slower assuming popen()
doesn't fork, and your shell is 'smart' enough to just exec without
forking, but honestly /bin/sh -c being offered variable arguments,
untainted or not, just gives me a bad feeling; I'd rather just use
something that I know doesn't ever muck with my command.
I still have no patch to offer though because I've wasted the evening
reading python source code tracking down how many steps even a Popen3
call has to go through before its finally handed to the system. That
and drinking. The latter making the former somewhat difficult by the
time I got to PyArg_Parse() and vgetargs1(). And now, bed.
Jamie Heilman http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."