From 1a31a85160e3d200b5a44bcf0afe9c9f6b8d2ffb Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri@samba.org>
Date: Sun, 15 Nov 2015 16:30:21 +0200
Subject: [PATCH] samba-tool: replace use of os.popen

The netcmd/domain.py module uses os.popen() on user-supplied
parameters. This opens up the way to code injection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11601

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 python/samba/netcmd/domain.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 9dfbc39..06a58e3 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -29,6 +29,7 @@ import os
 import sys
 import tempfile
 import logging
+import subprocess
 from samba.net import Net, LIBNET_JOIN_AUTOMATIC
 import samba.ntacls
 from samba.join import join_RODC, join_DC, join_subdomain
@@ -77,9 +78,16 @@ from samba.provision.common import (
 )
 
 def get_testparm_var(testparm, smbconf, varname):
-    cmd = "%s -s -l --parameter-name='%s' %s 2>/dev/null" % (testparm, varname, smbconf)
-    output = os.popen(cmd, 'r').readline()
-    return output.strip()
+    errfile = open(os.devnull, 'w')
+    p = subprocess.Popen([testparm, '-s', '-l',
+                          '--parameter-name=%s' % varname, smbconf],
+                         stdout=subprocess.PIPE, stderr=errfile)
+    (out,err) = p.communicate()
+    errfile.close()
+    lines = out.split('\n')
+    if lines:
+        return lines[0].strip()
+    return ""
 
 try:
    import samba.dckeytab
-- 
2.4.3