Fix for CVE-2022-37460 - Removed "shell=True", made args a list, and revised to handle stdin in function#96014
Fix for CVE-2022-37460 - Removed "shell=True", made args a list, and revised to handle stdin in function#96014calebshortt wants to merge 1 commit intopython:mainfrom
Conversation
|
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
|
All commit authors signed the Contributor License Agreement. |
|
Please file an issue in this github repo related to this. adjust the PR title to refer to the gh-#####: issue number. PRs are already public. There is no reason not to file an issue once a PR exists. (and no need to refer to the CVE as that is being withdrawn) |
vstinner
left a comment
There was a problem hiding this comment.
This change breaks the script. I'm not sure if you tested manually the script with your change.
To remove shell=True, you have to to split manually the r'openssl x509 (...)' shell command.
Anyway, I wrote PR #97613 which works and has a NEWS entry. I credited you in my PR.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
Superseded by #97613. Thanks for the PR! |
Fixes a vulnerability (CVE-2022-37460) in the get-remote-certificate script that would allow for remote code execution given malicious host parameter.
NOTE: Issue reported to python security but no gh-#####.