[Python-modules-team] Bug#827445: python3-proselint: Remove `shell=True` as they are a security hazard

Víctor Cuadrado Juan me at viccuad.me
Thu Jun 16 08:20:09 UTC 2016 

Package: python3-proselint
Version: 0.5.3-2
Severity: serious
Tags: security
Justification: 

This a migration blocker bug, as this issue is already fixed
in upstream's unreleased master.


As said on Python's subprocess docs,
using shell=True can be a security hazard[1],
as they open the door to shell code injection.

`shell=True` could for example be removed from:

        out = subprocess.check_output("proselint --version", shell=True)
        subprocess.call("proselint --debug >/dev/null", shell=True)

These other examples are possibly vulnerable to shell code injection:

        out = subprocess.check_output("proselint {}".format(fullpath),
shell=True)
        subprocess.call("{} {}".format("open", fullpath), shell=True)
        subprocess.call("proselint {} >/dev/null".format(filepath), shell=True)

These other examples could maybe use python equivalents instead?:


        subprocess.call("find . -name '*.pyc' -delete", shell=True)
        subprocess.call("rm -rfv proselint/cache > /dev/null && mkdir -p
        {}".format(os.path.join(os.path.expanduser("~"), ".proselint")),
        shell=True)


See also upstream's bug tracker [2].

[1]: https://docs.python.org/2/library/subprocess.html#frequently-used-
arguments
[2]: https://github.com/amperser/proselint/issues/395



-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python3-proselint depends on:
ii  python3-click   6.6-1
ii  python3-future  0.15.2-2
ii  python3-six     1.10.0-3
pn  python3:any     <none>

python3-proselint recommends no packages.

python3-proselint suggests no packages.

-- no debconf information

More information about the Python-modules-team mailing list