bc1bb/4lbion
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Shell injection via subprocess.call(shell=True) with user-controlled path and loginServer in start_game() #3

New issue
Open
opened 2026-05-14 21:10:23 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:10:23 +02:00
Copy link

Problem

start_game() builds a shell command string by concatenating path, exe, window_mode, width, height, a language code, and loginServer, then passes it to subprocess.call(..., shell=True). The path variable is derived from base_path, which is read directly from the user-editable 4lbion.json config file. Any shell metacharacters in that value (;, &&, |, backticks, etc.) are interpreted by the shell.

Location

4lbion.py, lines 325–402 (base_path = get_json_data("basePath"), subprocess.call(... shell=True))

Risk

If an attacker can modify 4lbion.json (e.g., via a malicious script, social engineering, or a path traversal in the updater), they can inject arbitrary shell commands that execute with the user's privileges when the Play button is pressed. Even without an external attacker, shell=True with string concatenation is considered an unsafe pattern and can cause unexpected behaviour if the game path contains spaces or special characters.

Suggested fix direction

Replace subprocess.call(shell=True, ...) with a list-based invocation: subprocess.call([path + "/" + exe, window_mode, ...]). This completely avoids shell interpretation. On macOS the open prefix should be handled as a separate list entry.

Severity

critical

Found by

Automated audit by Claude Code

## Problem `start_game()` builds a shell command string by concatenating `path`, `exe`, `window_mode`, `width`, `height`, a language code, and `loginServer`, then passes it to `subprocess.call(..., shell=True)`. The `path` variable is derived from `base_path`, which is read directly from the user-editable `4lbion.json` config file. Any shell metacharacters in that value (`;`, `&&`, `|`, backticks, etc.) are interpreted by the shell. ## Location `4lbion.py`, lines 325–402 (`base_path = get_json_data("basePath")`, `subprocess.call(... shell=True)`) ## Risk If an attacker can modify `4lbion.json` (e.g., via a malicious script, social engineering, or a path traversal in the updater), they can inject arbitrary shell commands that execute with the user's privileges when the Play button is pressed. Even without an external attacker, `shell=True` with string concatenation is considered an unsafe pattern and can cause unexpected behaviour if the game path contains spaces or special characters. ## Suggested fix direction Replace `subprocess.call(shell=True, ...)` with a list-based invocation: `subprocess.call([path + "/" + exe, window_mode, ...])`. This completely avoids shell interpretation. On macOS the `open` prefix should be handled as a separate list entry. ## Severity critical ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/4lbion#3
No description provided.