Shell injection vulnerability

[progval]

I think there is a shell injection vulnerability here: https://github.com/avkpol/pulsarvoip/blob/bd892833cbcb7164093c2a15e6f5382ca7edef3e/src/pulsarvpn/views/button_handler.py#L23-L27

The user name is substituted in the command without any sanitization. A possible fix is to rewrite the code this way:

    openKeyGen = ['openvpn', '--genkey', '--secret', 'key_' + req_user]
    openKeyTest = ['openvpn', '--test-crypto', '--secret', 'key_' +req_user]
    if request.method == 'POST':
         previousDir = os.getcwd()
        os.chdir('/etc/openvpn')
        try:
            subprocess.Popen(openKeyGen)
            subprocess.Popen(openKeyTest)
        finally:
            os.chdir(previousDir)

And similarily for the rest of the code (which is currently commented)

[avkpol]

Happy New Year!! Thanks, Valentin, for comment and stuff to learn. This way code looks much more “pythonic” Andriy

On Jan 1, 2016, at 2:39 PM, Valentin Lorentz notifications@github.com wrote:

I think there is a shell injection vulnerability here: https://github.com/avkpol/pulsarvoip/blob/bd892833cbcb7164093c2a15e6f5382ca7edef3e/src/pulsarvpn/views/button_handler.py#L23-L27

The user name is substituted in the command without any sanitization. A possible fix is to rewrite the code this way:

openKeyGen = ['openvpn', '--genkey', '--secret', 'key_' + req_user]
openKeyTest = ['openvpn', '--test-crypto', '--secret', 'key_' +req_user]
if request.method == 'POST':
            previousDir = os.getcwd()
            os.chdir('/etc/openvpn')
            try:
        subprocess.Popen(openKeyGen)
        subprocess.Popen(openKeyTest)
    finally:
                os.chdir(previousDir)

And similarily for the rest of the code (which is currently commented)

— Reply to this email directly or view it on GitHub.