From 344f602da58b5db40362be82b208eede2029e52d Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 25 Jul 2012 16:21:55 -0700 Subject: [PATCH] Check hostnames from the evironment before Popen()ing with them. This was probably safe anyway, but since we're passing things from the environment into a subprocess call, let's be extra careful about privilege escalations. --- client-webserver/client.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/client-webserver/client.py b/client-webserver/client.py index a483785ca..e2bf4acb2 100755 --- a/client-webserver/client.py +++ b/client-webserver/client.py @@ -17,6 +17,18 @@ if len(sys.argv) > 1: else: server = os.environ["CHOCOLATESERVER"] +def is_hostname_sane(hostname): + """ + Do just enough to ensure to avoid shellcode from the environment. There's + no need to do more. + """ + import string as s + allowed = s.ascii_letters + s.digits + "-." # hostnames & IPv4 + allowed += "[]:" # IPv6 + return all([c in allowed for c in hostname]) + +assert is_hostname_sane(server), `server` + " is an impossible hostname" + upstream = "https://%s/chocolate.py" % server if len(sys.argv) > 3: @@ -69,8 +81,8 @@ def make_request(m, csr): m.request.recipient = server m.request.timestamp = int(time.time()) m.request.csr = csr - hashcash_command = "hashcash -P -m -z 12 -b %d -r %s" % (difficulty, server) - hashcash = subprocess.check_output(hashcash_command.split(), preexec_fn=drop_privs, shell=False).rstrip() + hashcash_cmd = ["hashcash", "-P", "-m", "-z", "12", "-b", `difficulty`, "-r", server] + hashcash = subprocess.check_output(hashcash_cmd, preexec_fn=drop_privs, shell=False).rstrip() if hashcash: m.request.clientpuzzle = hashcash def sign(key, m): @@ -135,3 +147,5 @@ if r.success.IsInitialized(): elif r.failure.IsInitialized(): print "Server reported failure." sys.exit(1) + +# vim: set expandtab tabstop=4 shiftwidth=4