yahoo-eng-team team mailing list archive

[Mark Washenberger <1348416@xxxxxxxxxxxxxxxxxx>]

There is also a nasty shell=True in glance.tests.utils.execute, which is
probably even worse!

Our test_migrations code was copied from nova I believe, and a brief
glance at nova master indicates a similar use of shell=True in
test_migrations.py. So I'm adding Nova as well.

** Changed in: glance
       Status: New => Confirmed

** Changed in: glance
   Importance: Undecided => Low

** Also affects: nova
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1348416

Title:
  Popen with shell=True

Status in OpenStack Image Registry and Delivery Service (Glance):
  Confirmed
Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Glance uses subprocess.Popen with shell=True in
  glance/tests/unit/test_migrations.py line 175 in function
  _reset_datases:

          def execute_cmd(cmd=None):
              proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                                      stderr=subprocess.STDOUT, shell=True)

  If execute_cmd contains, either accidentally or maliciously, a double
  quote then arbitrary data will be executed. Popen should be called
  with an argument list instead of directly through the shell. For more
  information on subprocess, shell=True and command injection see:
  https://docs.python.org/2/library/subprocess.html#frequently-used-
  arguments

  Since these are unit tests and the likelihood of malicious input is
  low the severity should also be low.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348416/+subscriptions