touch-packages team mailing list archive

Thread
Date

[Bug 1462470] Re: pydoc.py uses old netscape navigator

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Thu, 02 Jul 2015 20:26:27 -0000
Reply-to: Bug 1462470 <1462470@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Bernd - Thanks for the report!

I don't see a way for an attacker to inject command line arguments for a
couple of reasons:

1) On Ubuntu, webbrowser is always available. It is provided by
libpython2.7-stdlib, which python2.7 depends on.

2) You can't provide arbitrary URLs. The GUI version of pydoc pops up a
TK-based dialogue. If you click 'open browser', open() is called with a
url=None. If you search for a keyword, it has to exist and be selectable
in the search results before you can click 'go to selected'. I don't see
a way to pass an arbitrary, malicious URL.

3) Even if #1 and #2 above were not mitigating factors, an attacker
would have to trick the user into launching pydoc in graphical mode,
then search for a specially crafted keyword, and then click 'go to
selected'. There are easier ways to trick users into doing things that
open them up to attacks.

I suggest that you work with upstream Python to get this issue fixed if
you're worried about non-Ubuntu platforms where this might be a security
issue.

** Changed in: python2.7 (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1462470

Title:
  pydoc.py uses old netscape navigator

Status in python2.7 package in Ubuntu:
  Invalid

Bug description:
  File :
  /usr/lib/python2.7/pydoc.py

  line : 2216 ... 2226

  pydoc.py uses old netscape navigator when the webbrowser module can
  not be imported:

  And it is vulnerable to shell command injection too,
  because it uses os.system() wich allows shell commands in the parameter "url".

  code :

          def open(self, event=None, url=None):
              url = url or self.server.url
              try:
                  import webbrowser
                  webbrowser.open(url)
              except ImportError: # pre-webbrowser.py compatibility
                  if sys.platform == 'win32':
                      os.system('start "%s"' % url)
                  else:
                      rc = os.system('netscape -remote "openURL(%s)" &' % url)
                      if rc: os.system('netscape "%s" &' % url)

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: libpython2.7-stdlib 2.7.9-2ubuntu3
  ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
  Uname: Linux 3.16.0-24-generic i686
  NonfreeKernelModules: nvidia
  ApportVersion: 2.17.2-0ubuntu1.1
  Architecture: i386
  CurrentDesktop: MATE
  Date: Fri Jun  5 19:33:43 2015
  InstallationDate: Installed on 2014-11-02 (214 days ago)
  InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
  SourcePackage: python2.7
  UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions

References

[Bug 1462470] [NEW] pydoc.py uses old netscape navigator
From: Bernd Dietzel, 2015-06-05