diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2022-09-28 23:50:07 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-28 23:50:07 (GMT) |
| commit | e3815d7d6d42925589f4e45ec7dcd4fda6b1dc9c (patch) | |
| tree | d6252c72f05d36e43f555e7040ad7186281b2edc /Misc | |
| parent | 28f1435d94e72a1fadec2e3d94eac300bb386c2e (diff) | |
| download | cpython-e3815d7d6d42925589f4e45ec7dcd4fda6b1dc9c.zip cpython-e3815d7d6d42925589f4e45ec7dcd4fda6b1dc9c.tar.gz cpython-e3815d7d6d42925589f4e45ec7dcd4fda6b1dc9c.tar.bz2 | |
gh-97612: Fix shell injection in get-remote-certificate.py (GH-97613)
Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a
shell to run "openssl" commands. Issue reported and initial fix by
Caleb Shortt.
Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.
Co-authored-by: Caleb Shortt <caleb@rgauge.com>
(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
Co-authored-by: Victor Stinner <vstinner@python.org>
Diffstat (limited to 'Misc')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst new file mode 100644 index 0000000..2f11349 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst @@ -0,0 +1,3 @@ +Fix a shell code injection vulnerability in the ``get-remote-certificate.py`` +example script. The script no longer uses a shell to run ``openssl`` commands. +Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. |