Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notes aren't properly escaped in Python, security concern #48

Open
Burrito-Bazooka opened this issue Oct 4, 2016 · 0 comments
Open

Notes aren't properly escaped in Python, security concern #48

Burrito-Bazooka opened this issue Oct 4, 2016 · 0 comments

Comments

@Burrito-Bazooka
Copy link

Burrito-Bazooka commented Oct 4, 2016
edited
Loading

After posting this, I had a change of heart and wanted to email @karpathy instead and give him a bit of time, but found that I could not delete the issue (and title edit history is saved and visible), and rationalised that it seems obvious anyway and people probably already know if they looked at the code and understand Python string formatting.

To reproduce the bug under Linux, open ulogme's web UI, then click on an event, and try saving a note like "This is a test && echo 'hello world' > /home/user/test"

It doesn't save the whole note, and there's a new file under "/home/user/test" (if you could write to /home/user/) - proving an arbitrary execution security hole for anyone running ulogme with IP set to "" (the default), most default firewall setups, and untrusted devices on their LAN.

https://github.com/karpathy/ulogme/blob/master/ulogme_serve.py#L48

Merging #33 will go some way to remedying other issues like this that might exist. Or using an IP setting of "127.0.0.1" (instead of empty string or "0.0.0.0"), which means only localhost will be able to access the server (though I think this means that other users running on your system will still be able to execute commands as you).

This is how I fixed it in my own copy of ulogme. Replace line 48 in ulogme_serve.py with:

      writenote(note, note_time)

Add this after the current import statements:

import subprocess

Then add this function either just before or just after the class definition:

def writenote(note, time_=None):
  cmd = ["./note.sh"]
  if time_ is not None:
    cmd.append(str(time_))
  process = subprocess.Popen(cmd, stdin=subprocess.PIPE)
  process.communicate(input=note)
  process.wait()

I can't check whether that would work on OSX.
@Burrito-Bazooka Burrito-Bazooka mentioned this issue Oct 4, 2016
Open
@Burrito-Bazooka Burrito-Bazooka changed the title Notes aren't properly escaped in Python, security concern (something I decided to email the maintainer about first) Oct 4, 2016
@Burrito-Bazooka Burrito-Bazooka changed the title (something I decided to email the maintainer about first) Notes aren't properly escaped in Python, security concern Oct 4, 2016
@Burrito-Bazooka Burrito-Bazooka mentioned this issue Oct 15, 2016
Closed
Naereen added a commit to Naereen/uLogMe that referenced this issue Oct 16, 2016
@Naereen
Improvements on ulogme_serve.py:
c7cca4f 
- Better handling of Ctrl+C or ^C (KeyboardInterrupt)
- Better warning message if the PORT was already used
- Better exceptions message
- Cleaner organization: address and port and chdir are in the __file__ = '__main__' if case
- Security concern: karpathy#48 suggested to use IP='127.0.0.1' and not ''
- Added the writenote(..) function to improve (fix?) security threats as indicated in #3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Burrito-Bazooka