From 340251550897cb98ae83ad1040750d6300112e80 Mon Sep 17 00:00:00 2001 From: Oleg Iarygin Date: Thu, 14 Apr 2022 22:26:14 +0300 Subject: [PATCH 1/4] Fix CVE-2015-20107 in mailcap --- Lib/mailcap.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Lib/mailcap.py b/Lib/mailcap.py index ae416a8e9fb273..b03419df3f94a0 100644 --- a/Lib/mailcap.py +++ b/Lib/mailcap.py @@ -1,6 +1,7 @@ """Mailcap file handling. See RFC 1524.""" import os +import subprocess import warnings __all__ = ["getcaps","findmatch"] @@ -170,7 +171,7 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): for e in entries: if 'test' in e: test = subst(e['test'], filename, plist) - if test and os.system(test) != 0: + if test and subprocess.run(test).returncode != 0: continue command = subst(e[key], MIMEtype, filename, plist) return command, e @@ -250,8 +251,7 @@ def test(): print("No viewer found for", type) else: print("Executing:", command) - sts = os.system(command) - sts = os.waitstatus_to_exitcode(sts) + sts = subprocess.run(command).returncode if sts: print("Exit status:", sts) From 80313aee23f2632d7b6cad7f909780272cf60d67 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Thu, 14 Apr 2022 19:35:32 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Security/2022-04-14-19-35-31.gh-issue-68966.foD-qB.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2022-04-14-19-35-31.gh-issue-68966.foD-qB.rst diff --git a/Misc/NEWS.d/next/Security/2022-04-14-19-35-31.gh-issue-68966.foD-qB.rst b/Misc/NEWS.d/next/Security/2022-04-14-19-35-31.gh-issue-68966.foD-qB.rst new file mode 100644 index 00000000000000..0d4c56c1c61588 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-04-14-19-35-31.gh-issue-68966.foD-qB.rst @@ -0,0 +1 @@ +Fixed CVE-2015-20107 reported against :mod:`mailcap`. Contributed by Oleg Iarygin. From 97ad77783de8114a9f6724303045fb377012eea7 Mon Sep 17 00:00:00 2001 From: Oleg Iarygin Date: Thu, 14 Apr 2022 22:58:40 +0300 Subject: [PATCH 3/4] Return stdout/stderr capturing as os.system did --- Lib/mailcap.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/mailcap.py b/Lib/mailcap.py index b03419df3f94a0..225d1234f23c53 100644 --- a/Lib/mailcap.py +++ b/Lib/mailcap.py @@ -251,7 +251,7 @@ def test(): print("No viewer found for", type) else: print("Executing:", command) - sts = subprocess.run(command).returncode + sts = subprocess.run(command, capture_output=True).returncode if sts: print("Exit status:", sts) From 88e57a2945d0c9309136afb44a30c52c058e5be3 Mon Sep 17 00:00:00 2001 From: Oleg Iarygin Date: Thu, 14 Apr 2022 23:44:16 +0300 Subject: [PATCH 4/4] Break a command line to arguments --- Lib/mailcap.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Lib/mailcap.py b/Lib/mailcap.py index 225d1234f23c53..de9dfdda54bfc5 100644 --- a/Lib/mailcap.py +++ b/Lib/mailcap.py @@ -1,6 +1,7 @@ """Mailcap file handling. See RFC 1524.""" import os +import shlex import subprocess import warnings @@ -171,7 +172,7 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): for e in entries: if 'test' in e: test = subst(e['test'], filename, plist) - if test and subprocess.run(test).returncode != 0: + if test and subprocess.run(shlex.split(test)).returncode != 0: continue command = subst(e[key], MIMEtype, filename, plist) return command, e @@ -251,7 +252,8 @@ def test(): print("No viewer found for", type) else: print("Executing:", command) - sts = subprocess.run(command, capture_output=True).returncode + arguments = shlex.split(command) + sts = subprocess.run(arguments, capture_output=True).returncode if sts: print("Exit status:", sts)