Duplicity

shell code injection in lftp backend

Bug #1529606 reported by Bernd Dietzel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Duplicity
Fix Released
Low
Unassigned
Duplicity 0.7.07

Bug Description

The lftpbackend.py can start a shell command in the backup path name, but should not.

Examples which start the program xeyes:
================================

duplicity /home "ftps://127.0.0.1:2121/backup';shell xeyes;'/test"

duplicity /home "ftps://127.0.0.1:2121/backup' ||shell xeyes||ls '"

Revision history for this message
edso (ed.so) wrote :

more or less a duplicate of
 https://bugs.launchpad.net/duplicity/+bug/1520691

demonstrating that shell parameters should be properly escaped before used in a commandline for backend.subprocess_popen()

this is a bug and needs to be fixed in all shell based backends, which will be some effort.

security-wise the severity is low (although Bernd might disagree):
this can be used to run a second process with the users permissions if the user can be tricked to use a specially crafted url. experience tells us that our users use scripts to run duplicity and enter the url once. copying something from somewhere untrusted and pasting to the commandline is a bad idea at any time.

..ede/duply.net

Changed in duplicity:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Kenneth Loafman (kenneth-loafman) wrote : Re: [Bug 1529606] Re: shell code injection in lftp backend

At the point we get the source or destination paths, shlex.quote() could be
used to safely quote the path parts. Since this does not appear possible
in the hostname or the schema parts, we should be safe to rebuild the URL
with the quoted path. Gonna have to play with it a bit.

On Mon, Dec 28, 2015 at 6:49 AM, edso <email address hidden> wrote:

> more or less a duplicate of
> https://bugs.launchpad.net/duplicity/+bug/1520691
>
> demonstrating that shell parameters should be properly escaped before
> used in a commandline for backend.subprocess_popen()
>
> this is a bug and needs to be fixed in all shell based backends, which
> will be some effort.
>
> security-wise the severity is low (although Bernd might disagree):
> this can be used to run a second process with the users permissions if the
> user can be tricked to use a specially crafted url. experience tells us
> that our users use scripts to run duplicity and enter the url once. copying
> something from somewhere untrusted and pasting to the commandline is a bad
> idea at any time.
>
> ..ede/duply.net
>
> ** Changed in: duplicity
> Status: New => Confirmed
>
> ** Changed in: duplicity
> Importance: Undecided => Low
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1529606
>
> Title:
> shell code injection in lftp backend
>
> Status in Duplicity:
> Confirmed
>
> Bug description:
> The lftpbackend.py can start a shell command in the backup path name,
> but should not.
>
> Examples which start the program xeyes:
> ================================
>
> duplicity /home "ftps://127.0.0.1:2121/backup';shell xeyes;'/test"
>
> duplicity /home "ftps://127.0.0.1:2121/backup' ||shell xeyes||ls '"
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1529606/+subscriptions
>

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

@Kenneth
quote() is a good idea. Think about python2 and python3.

try:
    from shlex import quote
except ImportError:
    from pipes import quote

Please do not forget to exchange the '%s' into %s in the backends so you get no double-quoting problems.

@edso
I hope that the user script does not request a new url automatically when the ftps server is full or offline ;-)

Thank you :-)

Revision history for this message
Kenneth Loafman (kenneth-loafman) wrote :

shlex.quote() is available for Python2.6 and up, and for Python3.x and up,
so no need for pipes.

On Mon, Dec 28, 2015 at 8:31 AM, Bernd Dietzel <email address hidden>
wrote:

> @Kenneth
> quote() is a good idea. Think about python2 and python3.
>
> try:
> from shlex import quote
> except ImportError:
> from pipes import quote
>
> Please do not forget to exchange the '%s' into %s in the backends so you
> get no double-quoting problems.
>
>
> @edso
> I hope that the user script does not request a new url automatically when
> the ftps server is full or offline ;-)
>
> Thank you :-)
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1529606
>
> Title:
> shell code injection in lftp backend
>
> Status in Duplicity:
> Confirmed
>
> Bug description:
> The lftpbackend.py can start a shell command in the backup path name,
> but should not.
>
> Examples which start the program xeyes:
> ================================
>
> duplicity /home "ftps://127.0.0.1:2121/backup';shell xeyes;'/test"
>
> duplicity /home "ftps://127.0.0.1:2121/backup' ||shell xeyes||ls '"
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1529606/+subscriptions
>

Revision history for this message
Kenneth Loafman (kenneth-loafman) wrote :

lftpbackend.py has been fixed. The rest have not.

Changed in duplicity:
assignee: nobody → Kenneth Loafman (kenneth-loafman)
milestone: none → 0.7.07
status: Confirmed → In Progress
Revision history for this message
Kenneth Loafman (kenneth-loafman) wrote :

All popen commands go through backend.subprocess_popen() which takes care of quoting before shelling out.

Changed in duplicity:
status: In Progress → Fix Committed
assignee: Kenneth Loafman (kenneth-loafman) → nobody
Kenneth Loafman (kenneth-loafman)
Changed in duplicity:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.