Subprocess redirect after object construction - ebranca/owasp-pysec GitHub Wiki

Classification

  • Affected Components : subprocess

  • Operating System : Linux

  • Python Versions : 2.6.x, 2.7.x

  • Reproducible : Yes

Source code

[1]


# import modules
import sys
import os
# 
from subprocess import Popen, PIPE

# Create Subprocess and redirect output to PIPE
proc1 = Popen(["echo", "1"], stdout = PIPE)
# Create Subprocess and redirect input,output and error
proc2 = Popen(["cat"], stdin = proc1.stdout, stderr = PIPE, stdout = PIPE)
# Redirect again the output after command setup
proc2.stdout = sys.stdout
# Next command blocks forever
print p2.communicate()

Steps to Produce/Reproduce

Copy the source code in a file and execute the script using the following command syntax:

$ python -OOBRtt test.py

Alternatively you can open python in interactive mode:

$ python -OOBRtt <press enter>

Then copy the lines of code into the interpreter.

Description

Python interpreter does not limit or prevent actions that are not safe or that can lead to logical errors, allowing complete freedom of actions to the developer.

This opens the door to situation in which a developer can write code like [1] that is semantically correct and can be executed without errors, but that in fact is logically broken and cannot produce any useful result.

This freedom can be used like in the following case when is possible to misinterpret how the command should functions and the interpreter happily execute the operation without raising alarms.

A developer could create a process using subprocess:

[2]

# Create Subprocess and redirect input,output and error
p2 = Popen(["cat"], stdin = p1.stdout, stderr = PIPE, stdout = PIPE)

And use the function POPEN to modify the stdout attribute (changing where standard out goes) along with stdin (standard input) and stderr (standard error) as in code part [2].

Then the developer changes the standard output:

[3]

# Redirect again the output after command setup
proc2.stdout = sys.stdout

The operation [3] should not be possible as the modification of the attribute after object construction cannot work as the system cannot "magically" move information over which has no control.

[4]

# Next command blocks forever
print p2.communicate()

In this case python allows a command [4] to be executed that has no sense from the operating system point of view therefore cannot work.

At the very least if is not possible to enforce controls within the interpreter, documentation should provide examples of valid code that has known broken logic.

Secure Implementation

WORK IN PROGRESS

References

[Standard streams][01] [01]:[http://en.wikipedia.org/wiki/Standard_streams]

[Python "subprocess" module][02] [02]:[https://docs.python.org/2/library/subprocess.html]

[Python System-Specific parameter][03] [03]:[https://docs.python.org/2/library/sys.html]

[Python bug 3687][04] [04]:[http://bugs.python.org/issue3687]