← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1348416] Re: Popen with shell=True

 

** Changed in: glance
       Status: Fix Committed => Fix Released

** Changed in: glance
    Milestone: None => kilo-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1348416

Title:
  Popen with shell=True

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Glance uses subprocess.Popen with shell=True in
  glance/tests/unit/test_migrations.py line 175 in function
  _reset_datases:

          def execute_cmd(cmd=None):
              proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                                      stderr=subprocess.STDOUT, shell=True)

  If execute_cmd contains, either accidentally or maliciously, a double
  quote then arbitrary data will be executed. Popen should be called
  with an argument list instead of directly through the shell. For more
  information on subprocess, shell=True and command injection see:
  https://docs.python.org/2/library/subprocess.html#frequently-used-
  arguments

  Since these are unit tests and the likelihood of malicious input is
  low the severity should also be low.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1348416/+subscriptions