Bug 41736 - UMC-client executes code
UMC-client executes code
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-2-errata
Assigned To: Florian Best
Dirk Wiesenthal
Depends on:
  Show dependency treegraph
Reported: 2016-07-05 19:36 CEST by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-07-05 19:36:32 CEST
umc-command -o "__import__('os').system('touch /tmp/hacked'):foo=bar" -n
umc-command -e -o "__import__('os').system('touch /tmp/hacked')" -n

As we use this script in various places with arguments from user input we should not allow code execution.
Comment 1 Florian Best univentionstaff 2016-07-12 13:40:29 CEST
Replace eval() by ast.literal_eval().

r70940 | YAML Bug #41736

univention-management-console (8.0.28-17):
r70939 | Bug #41736: don't execute/evaluate code in umc-client arguments
Comment 2 Dirk Wiesenthal univentionstaff 2016-07-18 14:24:18 CEST
There are little backward incompatibilities.

Anyway, the "features" dropped are not used and not useful.

Code: OK
Comment 3 Janek Walkenhorst univentionstaff 2016-07-21 15:16:24 CEST