Implement subprocess.Popen safely
Currently most of the subprocess.Popen calls in Freezer are implemented with shell=True as argument.
This is insecure and needs to be changed. shell=True needs to be removed, the command arguments needs to be provided as list (maybe using the current string.split(). This needs to be done asap, as in case we use an API to configure freezer, this may lead to remote command execution, with commands injected from the API. Also as the default shell for subprocess.Popen is /bin/sh, can be helpful to add an argument as env=os.
Blueprint information
- Status:
- Started
- Approver:
- Fausto Marzi
- Priority:
- Medium
- Drafter:
- Fausto Marzi
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Discussion
- Series goal:
- None
- Implementation:
- Blocked
- Milestone target:
- None
- Started by
- Pierre-Arthur MATHIEU
- Completed by
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Implement subprocess.Popen safely
Implementing this will break backup encryption. We use a pipe to pass tar output to openssl. Pipes are not working without shell=True