Python bindings HOWTO proof reader request

Vinay Sajip vinay_sajip at yahoo.co.uk
Mon Mar 19 09:35:16 CET 2018


 Dear Ben,
Thanks for the update.
Regards,
Vinay Sajip
    On Monday, 19 March 2018, 04:11:03 GMT, ben at adversary.org <ben at adversary.org> wrote:  
 
 On Sun, Mar 18, 2018 at 05:07:02PM +0000, Vinay Sajip via Gnupg-devel wrote:
>  Dear Ben,
> I am the maintainer of the python-gnupg package. This section about
> it in your HOWTO is, I believe, incorrect: "Unfortunately it has
> been beset by a number of security issues, most of which stemmed
> from using unsafe methods of accessing the command line via the
> subprocess calls."

I've amended it to indicate that that was the case in the past, but
that efforts have been made to mitigate that.

> At one time this was true - the subprocess calls in early versions
> were made with shell=True and therefore subject to injection
> attacks. However, this has not been the case for quite some time -
> subprocess is currently called with shell=False and not (as far as I
> know) insecure in the way you describe.

The HOWTO was mainly referring to the old shell=True issues and the
current change should address that in context.

> You also say "most of which stemmed  from using unsafe methods of
> accessing the command line" - what were the *other* security issues,
> and where were they raised / who raised them?

That also referred to the code you added to prevent certain types of
operators being used to inject code even via shell=False, but without
going into the full details in what's essentially a short summary.

So the "who" there would be you and looking at things like the
"UNSAFE" regex mitigation you have on line 93 of the current code.  ;)

> Obviously, I want to ensure that python-gnupg has no avoidable
> security issues, so your feedback would be helpful in achieving
> this.

Fair enough.  I know I've commented on a few past logged issues, but
it has been a while (I got distracted by, well, by this project).

> I would also be grateful if you updated your HOWTO to remove the
> inaccuracy about python-gnupg.

Done.  Though I stopped short of giving it the complete all clear on
the grounds that there hasn't been a full audit of the project
recently.  I don't think it'll do bad things, but that's not the same
as knowing for sure.

Also, I stopped using it before the shell changes were made, so I'm
not across the most recent updates.  For my own projects I briefly
used the, now very defunct, PyCrypto library (before the project
died), and then switched to my port of pyme and its brief appearance
as pyme3 in 2015.  Then ultimately updated to the current bindings
after Justus worked his magic on pyme3 to make them this thing.

I think the last time I really looked at python-gnupg was around the
time support was added for enabling multiple signatures of a single
file or message.  I vaguely recall citing my own key transition
statement as the use case for someone else's feature request.  So that
was clearly a while ago.


Regards,
Ben  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180319/29e52da0/attachment.html>


More information about the Gnupg-devel mailing list