diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-10-04 17:00:16 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-04 17:00:16 (GMT) |
| commit | d6ef6805b2e60a50a83e73bd2f40fc3a03715b32 (patch) | |
| tree | c97e86d8c6588d175d8a0d26ca2aa600fa6a5c3b /Misc | |
| parent | 94dbdbbd403950857913049c7445534d7ec86d39 (diff) | |
| download | cpython-d6ef6805b2e60a50a83e73bd2f40fc3a03715b32.zip cpython-d6ef6805b2e60a50a83e73bd2f40fc3a03715b32.tar.gz cpython-d6ef6805b2e60a50a83e73bd2f40fc3a03715b32.tar.bz2 | |
[3.9] gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613) (GH-97632)
gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613)
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.
Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
Co-authored-by: Victor Stinner <vstinner@python.org>
Diffstat (limited to 'Misc')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst new file mode 100644 index 0000000..2f11349 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst @@ -0,0 +1,3 @@ +Fix a shell code injection vulnerability in the ``get-remote-certificate.py`` +example script. The script no longer uses a shell to run ``openssl`` commands. +Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. |