I was criticised in the past for making CVE requests without enough information. This is another case where I have a hard time complying to them. python-gnupg 0.3.5 lists in the changelog: "Added improved shell quoting to guard against shell injection." Source: https://code.google.com/p/python-gnupg/ Sounds like a severe security issue, but further info is lacking. python-gnupg has no public source code repository, so I can't link to any commit. I could obviously download the last and current version, diff them and try to find out. But that's quite a lot of work for a CVE request. Despite the lack of info, please assign CVE, as I think it's a severe issue. +# We use the test below because it works for Jython as well as CPython +if os.path.__name__ == 'ntpath': + # On Windows, we don't need shell quoting, other than worrying about + # paths with spaces in them. + def shell_quote(s): + return '"%s"' % s +else: + # Section copied from sarge + + # This regex determines which shell input needs quoting + # because it may be unsafe + UNSAFE = re.compile(r'[^\w%+,./:= () -]') + + def shell_quote(s): + """ + Quote text so that it is safe for Posix command shells. + + For example, "*.py" would be converted to "'*.py'". If the text is + considered safe it is returned unquoted. + + :param s: The value to quote + :type s: str (or unicode on 2.x) + :return: A safe version of the input, from the point of view of Posix + command shells + :rtype: The passed-in type + """ + if not isinstance(s, string_types): + raise TypeError('Expected string type, got %s' % type(s)) + if not s: + result = "''" + elif len(s) >= 2 and (s[0], s[-1]) == ("'", "'"): + result = '"%s"' % s.replace('"', r'\"') + elif not UNSAFE.search(s): + result = s + else: + result = "'%s'" % s.replace("'", "'\"'\"'") + return result + + # end of sarge code