[Openstack-security] [Bug 1343657] Re: Shell Injection in backup strategies

Amrith 1343657 at bugs.launchpad.net
Thu Oct 16 15:46:59 UTC 2014 

I was intending to fix the bug in a manner similar to what Nathan
(nkinder) suggests in #15 above only that I'd rather take the guesswork
out of the client side (trove, for example) code and instead encapsulate
it into oslo.

To that end, I was thinking of extending execute() and providing
execute_extended() which would take a series of command lines and
construct the pipeline for you instead.

An important thing to bear in mind in this kind of pipelined execution
is that things get a tad bit hairy when people start doing redirection
in the command line (and there is pipelining). For example:

cmd1 2>&1 | cmd2

So, when you get something like this, subprocess.Popen() will puke on
the 2>&1 unless you use shell=true.

But, this is a reasonable limitation to help eliminate the necessity to
use shell=True

Note: I'm dubious about the use of the preexec_fn os.setsid that nkinder
recommends as that is process wide and not thread specific.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1343657

Title:
  Shell Injection in backup strategies

Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released
Status in Openstack Database (Trove):
  New

Bug description:
  Trove uses subprocess.Popen with shell=True in
  trove/trove/guestagent/strategies/backup/base.py line 61:

      def run(self):
          self.process = subprocess.Popen(self.command, shell=True,
                                          stdout=subprocess.PIPE,
                                          stderr=subprocess.PIPE,
                                          preexec_fn=os.setsid)
          self.pid = self.process.pid

  This could be used, maliciously or not, to inject arbitrary commands
  into a command line string. An example of this could be triggered is
  in trove/trove/guestagent/strategies/backup/mysql_imply.py line 37. It
  is creating a MySQL string with single quote. If the password, either
  maliciously or just happens to contain another single quote, it will
  escape from the command and arbitrary data will be executed instead.

  For more information on subprocess, shell=True and command injection
  see: https://docs.python.org/2/library/subprocess.html#frequently-
  used-arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1343657/+subscriptions

More information about the Openstack-security mailing list