Hi Bernd - Thanks for the report!
I don't see a way for an attacker to inject command line arguments for a
couple of reasons:
1) On Ubuntu, webbrowser is always available. It is provided by
libpython2.7-stdlib, which python2.7 depends on.
2) You can't provide arbitrary URLs. The GUI version of pydoc pops up a
TK-based dialogue. If you click 'open browser', open() is called with a
url=None. If you search for a keyword, it has to exist and be selectable
in the search results before you can click 'go to selected'. I don't see
a way to pass an arbitrary, malicious URL.
3) Even if #1 and #2 above were not mitigating factors, an attacker
would have to trick the user into launching pydoc in graphical mode,
then search for a specially crafted keyword, and then click 'go to
selected'. There are easier ways to trick users into doing things that
open them up to attacks.
I suggest that you work with upstream Python to get this issue fixed if
you're worried about non-Ubuntu platforms where this might be a security
issue.
** Changed in: python2.7 (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1462470
Title:
pydoc.py uses old netscape navigator
Status in python2.7 package in Ubuntu:
Invalid
Bug description:
File :
/usr/lib/python2.7/pydoc.py
line : 2216 ... 2226
pydoc.py uses old netscape navigator when the webbrowser module can
not be imported:
And it is vulnerable to shell command injection too,
because it uses os.system() wich allows shell commands in the parameter "url".
code :
def open(self, event=None, url=None):
url = url or self.server.url
try:
import webbrowser
webbrowser.open(url)
except ImportError: # pre-webbrowser.py compatibility
if sys.platform == 'win32':
os.system('start "%s"' % url)
else:
rc = os.system('netscape -remote "openURL(%s)" &' % url)
if rc: os.system('netscape "%s" &' % url)
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libpython2.7-stdlib 2.7.9-2ubuntu3
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: i386
CurrentDesktop: MATE
Date: Fri Jun 5 19:33:43 2015
InstallationDate: Installed on 2014-11-02 (214 days ago)
InstallationMedia: Ubuntu MATE 14.10 "Utopic Unicorn" - i386 (20141023)
SourcePackage: python2.7
UpgradeStatus: Upgraded to vivid on 2015-06-05 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1462470/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
