← Back to team overview

gufw-developers team mailing list archive

  1. gufw-developers team
  2. Mailing list archive
  3. Message #01814

Re: [Bug 1410839] Re: Shell Command injection in ufw_backend.py

  Thread PreviousDate PreviousThread Next 
Hi! I was thinking about this...

I think, as you said, the vulnerability could be the import/export by 
the path. I added these lines for check that:
=== modified file 'gufw/view/gufw.py'
--- gufw/view/gufw.py    2014-12-13 15:33:17 +0000
+++ gufw/view/gufw.py    2015-01-16 15:51:03 +0000
@@ -344,6 +344,12 @@

      def on_menu_import_activate(self, widget, data=None):
          import_profile = self._file_dialog('open', _("Import Profile"))
+
+        # Shell injection?
+        if not os.path.exists(import_profile):
+            self.show_dialog(self.winMain, _("Path not valid"), 
_("Please, report a bug here http://bugs.launchpad.net/gui-ufw";))
+            return
+
          profile = os.path.basename(import_profile) #Filename
          profile = os.path.splitext(profile)[0] # Ext

@@ -367,6 +373,11 @@
      def on_menu_export_activate(self, widget, data=None):
          export_profile = self._file_dialog('save', _("Export Profile"))

+        # Shell injection?
+        if not os.path.exists(export_profile):
+            self.show_dialog(self.winMain, _("Path not valid"), 
_("Please, report a bug here http://bugs.launchpad.net/gui-ufw";))
+            return
+
          if not export_profile:
              self.set_statusbar_msg(_("Export cancelled"))
              return


In other way, I think the profile name can't give a Shell injection, 
because the init profiles are read as regular files from 
/etc/gufw/*.profile, a new profile will be check this pattern: 
^[A-Za-z0-9_-]*$ and a deleted profile will have the previous patter or 
it will be a regular file.

What do you think? :)

Thanks a lot for your awesome feedback!
Costales

-- 
You received this bug notification because you are a member of Gufw
Developers, which is subscribed to Gufw.
https://bugs.launchpad.net/bugs/1410839

Title:
  Shell Command injection in ufw_backend.py

Status in Gufw:
  In Progress

Bug description:
  Firewall Administrators can be tricked by someone to export a profile
  with Gufw to an special crafted file or path name wich contains shell
  code.

  reason is this line in ufw_backend.py :

  def export_profile(self, profile, file):
      commands.getstatusoutput('cp /etc/gufw/' + profile + '.profile ' + file + ' ; chmod 777 ' + file)

  The rename and delete funktions are also unsave if profile name
  contains shell code, like semicolons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions

References

  Thread PreviousDate PreviousThread Next