cpython icon indicating copy to clipboard operation
cpython copied to clipboard
verified publisher icon python

Fix for CVE-2022-37460 - Removed "shell=True", made args a list, and revised to handle stdin in function

Open calebshortt opened this issue 3 years ago • 2 comments

Fixes a vulnerability (CVE-2022-37460) in the get-remote-certificate script that would allow for remote code execution given malicious host parameter.

NOTE: Issue reported to python security but no gh-#####.

calebshortt avatar Aug 15 '22 23:08 calebshortt

Most changes to Python require a NEWS entry.

Please add it using the blurb_it web app or the blurb command-line tool.

bedevere-bot avatar Aug 15 '22 23:08 bedevere-bot

All commit authors signed the Contributor License Agreement.
CLA signed

cpython-cla-bot[bot] avatar Aug 15 '22 23:08 cpython-cla-bot[bot]

Please file an issue in this github repo related to this. adjust the PR title to refer to the gh-#####: issue number. PRs are already public. There is no reason not to file an issue once a PR exists.

(and no need to refer to the CVE as that is being withdrawn)

gpshead avatar Aug 17 '22 20:08 gpshead

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

bedevere-bot avatar Sep 28 '22 10:09 bedevere-bot

Superseded by https://github.com/python/cpython/pull/97613. Thanks for the PR!

kumaraditya303 avatar Oct 01 '22 17:10 kumaraditya303