diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-10-04 17:07:55 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-04 17:07:55 (GMT) |
| commit | 90620490c04b6894d5a3f4214ecf5a10b41d25ec (patch) | |
| tree | dcd4c98604ec34a1709fb96b6173e4ec1d0f0d58 /Misc/NEWS.d/next | |
| parent | 246a044641388dfd5023cb4b8dbe5519cb41d943 (diff) | |
| download | cpython-90620490c04b6894d5a3f4214ecf5a10b41d25ec.zip cpython-90620490c04b6894d5a3f4214ecf5a10b41d25ec.tar.gz cpython-90620490c04b6894d5a3f4214ecf5a10b41d25ec.tar.bz2 | |
[3.8] gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) (GH-97633)
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.
Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
Co-authored-by: Victor Stinner <vstinner@python.org>
Diffstat (limited to 'Misc/NEWS.d/next')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst new file mode 100644 index 0000000..2f11349 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst @@ -0,0 +1,3 @@ +Fix a shell code injection vulnerability in the ``get-remote-certificate.py`` +example script. The script no longer uses a shell to run ``openssl`` commands. +Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. |