Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update wget.py to prevent shell injection #50

Closed
wants to merge 1 commit into from
Closed

Update wget.py to prevent shell injection #50

wants to merge 1 commit into from

Conversation

mvsite
Copy link

@mvsite mvsite commented Aug 9, 2023

used urlparse and shlex.quote to limit user to intended capability

To show that your contribution is compatible with the MIT License, please include the following text somewhere in this PR description:
This PR complies with the DCO; https://developercertificate.org/

@mvsite
Update wget.py to prevent shell injection
81d3c9b 
used urlparse and shlex.quote to limit user to intended capability
@mvsite
Copy link
Author

mvsite commented Aug 9, 2023

I realize this is very low priority and only a nitpick about capability for authorized users, and I didn't actually test to see if it was exploitable in the first place, but honestly I am just testing github and haven't really used it before (as a contributor). Thanks for making copyparty!

@mvsite
Copy link
Author

mvsite commented Aug 9, 2023

..and in the same day I learned that you can't delete a pull request once it is created. That's too bad, because I'm pretty sure this wasn't exploitable anyway. :) Oh well. Have a nice day!

@mvsite mvsite closed this Aug 9, 2023
@9001
Copy link
Owner

9001 commented Aug 9, 2023

No worries, thanks for the concern (and for using copyparty!) 👍

You're right -- this would have been necessary if the subprocess.check_call had been invoked with shell=True. But thanks to the -- (stop argument parsing) and the shell=False (its default value), the worst-case outcome of any malicious input should be that wget simply fails safely.

But I like the idea of a protocol whitelist, since this could avoid any creative / unintended uses of wget. For example, wget does not currently support the file protocol, but we definitely don't want anyone to be able to use that! So I'd like to merge this with just a few changes if you're up for it :>

  • quoting the url is not necessary (and could potentially cause issues), since this is handled by subprocess already
  • the protocol whitelist should also allow ftp

9001 added a commit that referenced this pull request Aug 20, 2023
@9001
wget: only allow http/https/ftp/ftps (#50):
7df890d 
these are all the protocols that are currently supported by wget,
so this has no practical effect aside from making sure we won't
suddenly get file:// support or something (which would be bad)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mvsite @9001