Comment by akdev1l

7 days ago

> Note also that if you're using a deficient shell that supports neither `printf %q` nor `${var@Q}` it's still easy to do quoting in `sed`. GNU `./configure` scripts do this internally, including special-casing to only quote the right side of `--arg=value`.

With the assumption that:

1. The person knows to do this weird thing 2. They do it consistently every time 3. They never forget

Also not sure how to use those solutions for the popen() example you provided.

The correct way is:

    subprocess.run([
       "gzip",
       "-c",
       "—-to-stdout",
       user_input
    ], stdout=open("foo.gz"))

And now I don’t have to worry about any of these weird things

11 comments

akdev1l

theamk 7 days ago

The idea is you have some 3rd-party app, which might accept a parameter and pass it to popen as-is, something like "--data-handler=command"

In this case, current "popen" semantics - a single shell command - works pretty well. You can pass it a custom process:

    --data-handler="scripts/handle_data.py"

or a shell fragment:

    --data-handler="gzip -c > last_data.gz"

or even mini-shell script:

    --data-handler "jq .contents | mail -s 'New data incoming' data-notify"

this is where the "shell command" arguments really shine - and note you cannot simulate all of this functionality with command vector.

akdev1l 7 days ago
Yes, in this specific use case you need a shell.
But that’s the same as saying you technically need SQL injection so that `psql -c 'command'` can work
> you cannot simulate all of this with command vector
Uhh, yes we can just call a shell:
subprocess.run(["bash", "-c", data_handler])
As a bonus this way we get control of which shell is being used and I find it is more explicit so I prefer it
- oguz-ismail 5 days ago
  
  > subprocess.run(["bash",
  Not the same thing, this is vulnerable to $PATH interception. You can hardcode the path to bash to avoid that but there's no guarantee that it'll always be there. system() on the other hand is guaranteed to run the operating system's command interpreter.
  
  2 replies →
- pwdisswordfishz 5 days ago
  
  subprocess.run(["bash", "-c", "--", data_handler])
  The very thing TFA complains about.
  
  1 reply →

panzi 7 days ago

You need to ensure that user_input doesn't start with `-`. You can do that by forcing an absolute path. Some programs accept `--` as a marker that any arguments after that are non-options.

pwdisswordfishz 5 days ago
No need for an absolute path, just a './' prefix.
- panzi 4 days ago
  
  Yes, but running it through a function that turns it into an absolute path is a way to ensure that. A way. An easy way.
- account42 5 days ago
  
  Unless the path was already absolute.