Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. References: https://security-tracker.debian.org/tracker/CVE-2017-17522
Created python tracking bugs for this issue: Affects: fedora-all [bug 1526182] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1526180] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1526181] Created python33 tracking bugs for this issue: Affects: fedora-all [bug 1526178] Created python34 tracking bugs for this issue: Affects: fedora-all [bug 1526179] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1526177]
Pedro, how do you track what Python version do we have in Fedora? Note that you are creating a bug for the python component, but that's dead since Fedora 25 EOL. Please update it to python2 in your tracking info. Also, we added python37 quite recently as well.
It seems python upstream was not notified of this issue. Pedro could you provide any info (if any) on the relevant upstream bug?
Charalampos, I couldn't find any more info on it. This CVE seems issued by Debian. Maybe they have more information. Miro, Our tracking docs are correct, but I copied that affect list from an old bug. Thank you for pointing that out. I fixed the list.
I don't understand which strings need to be validated here.
I think what the reporter actually mentions is the ability to trick the user into setting a specially-crafted BROWSER variable, before launching the browser via the webbrowser.py command. I tried the following: 1. $export set BROWSER="elinks; touch /tmp/foo" $python -m webbrowser -t "http://www.google.com" Result: Launches firefox and /tmp/foo does not exists 2. $export set BROWSER="elinks; /home/huzaifas/a" $python -m webbrowser -t "http://www.google.com" Result: Launches firefox and /tmp/foo is created. Here /home/huzaifas/a contains "touch /tmp/foo" 3. $export set BROWSER="elinks; ls > /tmp/list" $python -m webbrowser -t "http://www.google.com" Result: Lanches firefox, /tmp/list is not created 4. $export set BROWSER="ls > /tmp/list" $python -m webbrowser -t "http://www.google.com" Result: Lanches firefox, /tmp/list is not created So i assume that the argument at https://nvd.nist.gov/vuln/detail/CVE-2017-17522#vulnDescriptionTitle is correct. Since webbrowser.py using Popen, which has shell=False as default, it would not be possible for the attacker to inject malicious commands via the BROWSER env variable.
Yes, BROWSER is fine. One thing Python does not validate is the URL, so one could, for example, open a *private* window of Firefox with: export BROWSER=firefox python3 -c 'import webbrowser; webbrowser.open("--private-window")' or set the default browser: export BROWSER=firefox python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")' Maybe that's what the CVE reporter wanted to say?
(In reply to Petr Viktorin from comment #7) > Yes, BROWSER is fine. > > One thing Python does not validate is the URL, so one could, for example, > open a *private* window of Firefox with: > > export BROWSER=firefox > python3 -c 'import webbrowser; webbrowser.open("--private-window")' > > or set the default browser: > > export BROWSER=firefox > python3 -c 'import webbrowser; webbrowser.open("--setDefaultBrowser")' > > Maybe that's what the CVE reporter wanted to say? Upstream contested this CVE and the desc explicitly mentions "BROWSER" variable not the URL variable. Also i dont see any merit in fixing this.
I don't either. Closing; if any more discussion is needed then please re-open.
Statement: As per upstream, "exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting". On testing it seems, upstream has correctly concluded the non-security nature of this bug.