[Openstack-security] [Bug 1348416] Re: Popen with shell=True
Sean Dague
sean at dague.net
Thu Sep 11 19:15:01 UTC 2014
The only place this exists inside nova is db tests and tools that are
meant to be run locally, and the baremetal driver, which we are about to
delete. So this is a won't fix.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1348416
Title:
Popen with shell=True
Status in OpenStack Image Registry and Delivery Service (Glance):
Confirmed
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Glance uses subprocess.Popen with shell=True in
glance/tests/unit/test_migrations.py line 175 in function
_reset_datases:
def execute_cmd(cmd=None):
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
stderr=subprocess.STDOUT, shell=True)
If execute_cmd contains, either accidentally or maliciously, a double
quote then arbitrary data will be executed. Popen should be called
with an argument list instead of directly through the shell. For more
information on subprocess, shell=True and command injection see:
https://docs.python.org/2/library/subprocess.html#frequently-used-
arguments
Since these are unit tests and the likelihood of malicious input is
low the severity should also be low.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348416/+subscriptions
More information about the Openstack-security
mailing list