yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1348416] Re: Popen with shell=True

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Thu, 11 Sep 2014 21:33:41 -0000
Reply-to: Bug 1348416 <1348416@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** No longer affects: nova

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1348416

Title:
  Popen with shell=True

Status in OpenStack Image Registry and Delivery Service (Glance):
  Confirmed
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Glance uses subprocess.Popen with shell=True in
  glance/tests/unit/test_migrations.py line 175 in function
  _reset_datases:

          def execute_cmd(cmd=None):
              proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                                      stderr=subprocess.STDOUT, shell=True)

  If execute_cmd contains, either accidentally or maliciously, a double
  quote then arbitrary data will be executed. Popen should be called
  with an argument list instead of directly through the shell. For more
  information on subprocess, shell=True and command injection see:
  https://docs.python.org/2/library/subprocess.html#frequently-used-
  arguments

  Since these are unit tests and the likelihood of malicious input is
  low the severity should also be low.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348416/+subscriptions