[Openstack-security] [Bug 1343657] Re: Shell Injection in backup strategies

Nikhil Manchanda SlickNik at gmail.com
Mon Sep 22 22:47:28 UTC 2014


So the reason this runs with shell = true is because it uses POSIX pipes
to do redirection as part of the backup / restore command.

Is there a viable alternative which we can use that allows us to work
with pipes doing the backup, and still harden the code wrt the security
concern identified here?

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1343657

Title:
  Shell Injection in backup strategies

Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released
Status in Openstack Database (Trove):
  New

Bug description:
  Trove uses subprocess.Popen with shell=True in
  trove/trove/guestagent/strategies/backup/base.py line 61:

      def run(self):
          self.process = subprocess.Popen(self.command, shell=True,
                                          stdout=subprocess.PIPE,
                                          stderr=subprocess.PIPE,
                                          preexec_fn=os.setsid)
          self.pid = self.process.pid

  This could be used, maliciously or not, to inject arbitrary commands
  into a command line string. An example of this could be triggered is
  in trove/trove/guestagent/strategies/backup/mysql_imply.py line 37. It
  is creating a MySQL string with single quote. If the password, either
  maliciously or just happens to contain another single quote, it will
  escape from the command and arbitrary data will be executed instead.

  For more information on subprocess, shell=True and command injection
  see: https://docs.python.org/2/library/subprocess.html#frequently-
  used-arguments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1343657/+subscriptions




More information about the Openstack-security mailing list