FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-salt -- potential shell injection vulnerabilities

Affected packages
py27-salt < 2015.5.0


VuXML ID 865863af-fb5e-11e4-8fda-002590263bf5
Discovery 2015-05-11
Entry 2015-05-24

Colton Myers reports:

In order to fix potential shell injection vulnerabilities in salt modules, a change has been made to the various cmd module functions. These functions now default to python_shell=False, which means that the commands will not be sent to an actual shell.

The largest side effect of this change is that "shellisms", such as pipes, will not work by default. The modules shipped with salt have been audited to fix any issues that might have arisen from this change. Additionally, the cmd state module has been unaffected, and use of in jinja is also unaffected. calls on the CLI will also allow shellisms.

However, custom execution modules which use shellisms in cmd calls will break, unless you pass python_shell=True to these calls.

As a temporary workaround, you can set cmd_safe: False in your minion and master configs. This will revert the default, but is also less secure, as it will allow shell injection vulnerabilities to be written in custom code. We recommend you only set this setting for as long as it takes to resolve these issues in your custom code, then remove the override.