Package: python3-proselint
Version: 0.5.3-2
Severity: serious
Tags: security
Justification:
This a migration blocker bug, as this issue is already fixed
in upstream's unreleased master.
As said on Python's subprocess docs,
using shell=True can be a security hazard[1],
as they open the door to shell code injection.
`shell=True` could for example be removed from:
out = subprocess.check_output("proselint --version", shell=True)
subprocess.call("proselint --debug >/dev/null", shell=True)
These other examples are possibly vulnerable to shell code injection:
out = subprocess.check_output("proselint {}".format(fullpath),
shell=True)
subprocess.call("{} {}".format("open", fullpath), shell=True)
subprocess.call("proselint {} >/dev/null".format(filepath), shell=True)
These other examples could maybe use python equivalents instead?:
subprocess.call("find . -name '*.pyc' -delete", shell=True)
subprocess.call("rm -rfv proselint/cache > /dev/null && mkdir -p
{}".format(os.path.join(os.path.expanduser("~"), ".proselint")),
shell=True)
See also upstream's bug tracker [2].
[1]: https://docs.python.org/2/library/subprocess.html#frequently-used-
arguments
[2]: https://github.com/amperser/proselint/issues/395
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3-proselint depends on:
ii python3-click 6.6-1
ii python3-future 0.15.2-2
ii python3-six 1.10.0-3
pn python3:any <none>
python3-proselint recommends no packages.
python3-proselint suggests no packages.
-- no debconf information
