gh-97612: Fix shell injection in get-remote-certificate.py

[vstinner]

Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer uses a shell to run "openssl" commands. Issue reported and initial fix by Caleb Shortt.

Remove the Windows code path to send "quit" on stdin to the "openssl
s_client" command: use DEVNULL on all platforms instead.

• Issue: [security] Tools/scripts/get-remote-certificate.py is vulnerable to shell code injection #97612

[vstinner]

@gpshead: Would you mind to review this fix?

The fix should also be backported to the 3.7 branch, but there is a conflict, so I will do the backport manually once this PR is merged.

cc @calebshortt

[zware]

What's the point of even keeping this script? Has anyone used it in the past 12 years?

[vstinner]

What's the point of even keeping this script? Has anyone used it in the past 12 years?

In Python 3.12, IMO it's fine to consider removing the script. But for stable Python versions (3.7-3.11), IMO we should fix the script.

I'm working on proposal to remove most Tools/scripts/ scripts, but first I have to look into these scripts to decide what to do with them, categorize them, etc. There are more than 70 scripts.

[gpshead]

on windows stdin was hooked up to a file containing "quit\n". was that necessary? If so, use your added subproc stdin= support from above to do that. otherwise, get rid of the added subprob stdin= support to make this PR smaller.

[vstinner]

Right, I removed the now unused stdin parameter.

This script is used to connect to a HTTPS server. Saying "quit\n" to a HTTP server makes no sense to me. Maybe on Windows, previously the command was blocked until the user wrotes something and then press ENTER? But with this change, the stdin is replaced with DEVNULL (NUL device on Windows) and so it should no longer block.

First, I basically rewrote the whole script. I don't get half of the code. For example, it runs the "x509" to get the same output than the input... it doesn't make any sense to me. But I tried to keep this change as small as possible...

Then I think that we should just remove the script in the main branch :-)

My main motivation for this change is to prevent users to report the same issue later, even if the impact of the vulnerability is basically non existent since I don't imagine that anyone runs such script on a production server with inputs taken from the Internet...

[zware]

In that case, I'd take the current report as reason to remove the script from main, and the next report as reason to remove it from other branches. Or just go ahead and remove it everywhere. It's not worth fixing.

[vstinner]

Since the fix is straightforward, I prefer first to fix the script in all branches.

[vstinner]

I created https://discuss.python.org/t/remove-outdated-tools-scripts-scripts/19571 discussion to propose removing outdated example scripts.

[vstinner]

@gpshead: Would you mind to review the updated PR?

[miss-islington]

Thanks @vstinner for the PR 🌮🎉.. I'm working now to backport this PR to: 3.8, 3.9, 3.10, 3.11.
🐍🍒⛏🤖

[bedevere-bot]

GH-97630 is a backport of this pull request to the 3.11 branch.

[bedevere-bot]

GH-97631 is a backport of this pull request to the 3.10 branch.

[bedevere-bot]

GH-97632 is a backport of this pull request to the 3.9 branch.

[bedevere-bot]

GH-97633 is a backport of this pull request to the 3.8 branch.

[miss-islington]

Thanks @vstinner for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

[miss-islington]

Sorry, @vstinner, I could not cleanly backport this to 3.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker 83a0f44ffd8b398673ae56c310cf5768d359c341 3.7

[bedevere-bot]

GH-97634 is a backport of this pull request to the 3.7 branch.

[vstinner]

@zware: I prefer the conservative approach, first fix the vulnerability, then discuss removing outdated scripts.