[Openstack-security] [Bug 1348416] Re: Popen with shell=True
Mark Washenberger
1348416 at bugs.launchpad.net
Thu Sep 11 17:55:50 UTC 2014
There is also a nasty shell=True in glance.tests.utils.execute, which is
probably even worse!
Our test_migrations code was copied from nova I believe, and a brief
glance at nova master indicates a similar use of shell=True in
test_migrations.py. So I'm adding Nova as well.
** Changed in: glance
Status: New => Confirmed
** Changed in: glance
Importance: Undecided => Low
** Also affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1348416
Title:
Popen with shell=True
Status in OpenStack Image Registry and Delivery Service (Glance):
Confirmed
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Glance uses subprocess.Popen with shell=True in
glance/tests/unit/test_migrations.py line 175 in function
_reset_datases:
def execute_cmd(cmd=None):
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
stderr=subprocess.STDOUT, shell=True)
If execute_cmd contains, either accidentally or maliciously, a double
quote then arbitrary data will be executed. Popen should be called
with an argument list instead of directly through the shell. For more
information on subprocess, shell=True and command injection see:
https://docs.python.org/2/library/subprocess.html#frequently-used-
arguments
Since these are unit tests and the likelihood of malicious input is
low the severity should also be low.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348416/+subscriptions
More information about the Openstack-security
mailing list