Re: [Python-ideas] shutil.run no security thread

2 views
Skip to first unread message

anatoly techtonik

unread,
May 23, 2012, 4:47:06 AM5/23/12
to Mike Meyer, python...@python.org
Ok, let's separately discuss shutil.run() added value without touching
security at all (subj changed).

Is it ok? Is it nice idea? Would it be included in stdlib in an ideal
world where security implications doesn't matter?
--
anatoly t.


On Tue, May 22, 2012 at 11:30 PM, Mike Meyer <m...@mired.org> wrote:
> On Tue, 22 May 2012 18:39:16 +0300
> anatoly techtonik <tech...@gmail.com> wrote:
>
>> Therefore, inspired by Fabric API, I've finally found the solution -
>> shutil.run() function:
>> https://bitbucket.org/techtonik/shutil-run/src
>>
>> run(command, combine_stderr=True):
>>
>>     Run command through a system shell, return output string with
>>     additional properties:
>>
>>         output.succeeded    - result of the operation True/False
>>         output.return_code  - specific return code
>>         output.stderr       - stderr contents if combine_stderr=False
>>
>>      `combine_stderr` if set, makes stderr merged into output string,
>>      otherwise it will be available  as `output.stderr` attribute.
> [...]
>> That's the most intuitive way I found so far. Objective advantages:
>>
>> 1. Better than
>>        subprocess.call(cmd, shell=true)
>>        subprocess.check_call(cmd, shell=true)
>>        subprocess.check_output(cmd, shell=True)
>>      because it is just
>>        shutil.run(cmd)
>>      i.e. short, simple and _easy to remember_
>
> -2
>
> Unless there's some way to turn off shell processing (better yet, have
> no shell processing be the default, and require that it be turned on),
> it can't be used securely with tainted strings, so it should *not* be
> used with tainted strings, which means it's pretty much useless in any
> environment where security matters. With everything being networked,
> there may no longer be any such environments.
>
>> 3. shutil.run() is predictable and consistent - its arguments are not
>> dependent on each other, their combination doesn't change the function
>> behavior over and over requiring you iterate over the documentation
>> and warnings again and again
>
> As proposed, it certainly provides a predictable and consistent
> vulnerability to code injection attacks.
>
>> 4. shutil.run() is the correct next level API over subprocess base
>> level. subprocess executes external process - that is its role, but
>> automatic ability to execute external process inside another external
>> process (shell) looks like a hack to me. Practical, but still a hack.
>
> It's only correct if you are in an environment where you don't care
> about security. If you care about security, you can't use it. If we're
> going to add yet another system() replacement, let's at least try and
> make it secure.
>
>     <mike
> --
> Mike Meyer <m...@mired.org>              http://www.mired.org/
> Independent Software developer/SCM consultant, email for more information.
>
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
_______________________________________________
Python-ideas mailing list
Python...@python.org
http://mail.python.org/mailman/listinfo/python-ideas

Chris Rebert

unread,
May 23, 2012, 5:26:53 AM5/23/12
to anatoly techtonik, python...@python.org
> On Tue, May 22, 2012 at 11:30 PM, Mike Meyer <m...@mired.org> wrote:
>> On Tue, 22 May 2012 18:39:16 +0300
>> anatoly techtonik <tech...@gmail.com> wrote:
>>
>>> Therefore, inspired by Fabric API, I've finally found the solution -
>>> shutil.run() function:
>>> https://bitbucket.org/techtonik/shutil-run/src
<snip>

>> -2
>>
>> Unless there's some way to turn off shell processing (better yet, have
>> no shell processing be the default, and require that it be turned on),
>> it can't be used securely with tainted strings, so it should *not* be
>> used with tainted strings, which means it's pretty much useless in any
>> environment where security matters. With everything being networked,
>> there may no longer be any such environments.
>>
>>> 3. shutil.run() is predictable and consistent - its arguments are not
<snip>

>> As proposed, it certainly provides a predictable and consistent
>> vulnerability to code injection attacks.
>>
>>> 4. shutil.run() is the correct next level API over subprocess base
>>> level. subprocess executes external process - that is its role, but
>>> automatic ability to execute external process inside another external
>>> process (shell) looks like a hack to me. Practical, but still a hack.
>>
>> It's only correct if you are in an environment where you don't care
>> about security. If you care about security, you can't use it. If we're
>> going to add yet another system() replacement, let's at least try and
>> make it secure.

On Wed, May 23, 2012 at 1:47 AM, anatoly techtonik <tech...@gmail.com> wrote:
> Ok, let's separately discuss shutil.run() added value without touching
> security at all (subj changed).
>
> Is it ok? Is it nice idea? Would it be included in stdlib in an ideal
> world where security implications doesn't matter?

I hope not, because it'd still have all the /usability/ pitfalls
associated with shell interpolation (and the consequent need to escape
command arguments).

Consider:
chris@MBP ~ $ mkdir foo && cd foo
chris@MBP foo $ ls
chris@MBP foo $ touch '~' # the horror
chris@MBP foo $ touch '$EDITOR' # you have a sick mind
chris@MBP foo $ ls -l # verify the devious plot
total 0
-rw-r--r-- 1 chris staff 0 May 23 02:11 $EDITOR
-rw-r--r-- 1 chris staff 0 May 23 02:11 ~
chris@MBP foo $ python
Python 2.7.1 (r271:86832, Jul 31 2011, 19:30:53)
>>> from os import listdir
>>> from subprocess import call
>>> for entry in listdir('.'):
… ret = call('ls '+entry, shell=True) # à la your wrapper
...
ls: ed: No such file or directory
<snipped; the contents of my home directory was here>
>>> # that's not what I wanted at all!

(Less contrived examples left as an exercise for the reader.)

Also, this isn't shell-specific, but it still should be made easier to
handle properly: What about a file named "--help"?

Cheers,
Chris
--
Sadly, no, `ed` isn't really my editor.
http://rebertia.com

P.S. Please avoid top-posting in the future.

Nick Coghlan

unread,
May 23, 2012, 8:22:56 AM5/23/12
to anatoly techtonik, python...@python.org
On Wed, May 23, 2012 at 6:47 PM, anatoly techtonik <tech...@gmail.com> wrote:
> Ok, let's separately discuss shutil.run() added value without touching
> security at all (subj changed).
>
> Is it ok? Is it nice idea? Would it be included in stdlib in an ideal
> world where security implications doesn't matter?

Sure. That world is called PHP (or C, for that matter).

We *care* about security implications, and trying to be secure by
default is part of that. Usability isn't everything, and it's OK if
software development is sometimes hard.

Cheers,
Nick.

--
Nick Coghlan   |   ncog...@gmail.com   |   Brisbane, Australia
Reply all
Reply to author
Forward
0 new messages