gufw-developers team mailing list archive

[Bernd Dietzel <1410839@xxxxxxxxxxxxxxxxxx>]

Ok, the parameters are filtered now.

I'd still like to see subprocess.Popen() in combination with it's Parameter shell=False in the code.
Please, do not use commands.getstatusoutput() , its unsave when there are arguments in the string wich the attacker can reach.
Subprocess.Popen() directs the arguments in a better way to the program you want to run , so the args can not execute an other program.   
https://docs.python.org/2/library/subprocess.html

And again, think about "quoting" if you still want to use commands.getstatusoutput() for some reason.
Quoting with shlex.quote(arg) should prevent shell command injection  and ... 
Quoting may also prevent an attacker to disable the firewall if he appends some valid ufw commands, not only shell commands ;-)
https://docs.python.org/3/library/shlex.html#shlex.quote

Greetings from germany
Bernd

-- 
You received this bug notification because you are a member of Gufw
Developers, which is subscribed to Gufw.
https://bugs.launchpad.net/bugs/1410839

Title:
  Shell Command injection in ufw_backend.py

Status in Gufw:
  Fix Released
Status in gui-ufw package in Ubuntu:
  Confirmed

Bug description:
  Firewall Administrators can be tricked by someone to export a profile
  with Gufw to an special crafted file or path name wich contains shell
  code.

  reason is this line in ufw_backend.py :

  def export_profile(self, profile, file):
      commands.getstatusoutput('cp /etc/gufw/' + profile + '.profile ' + file + ' ; chmod 777 ' + file)

  The rename and delete funktions are also unsave if profile name
  contains shell code, like semicolons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions