Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst · dca2fd28235bca84935701d468996fd1b3adbb12 · sip / Cpython

2 years ago

90620490

[3.8] gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) (GH-97633) · 90620490

Miss Islington (bot) authored 2 years ago


Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44f)

Co-authored-by: Victor Stinner <vstinner@python.org>

Unverified

90620490

History

[3.8] gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) (GH-97633)

Miss Islington (bot) authored 2 years ago


Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44f)

Co-authored-by: Victor Stinner <vstinner@python.org>