Protection against too long command to avoid bad code injection in shell #9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
|
Very good! |
Contributor
Author
|
@andrerom Tell us if you think some elements are missing for making this pull request merged (and indeed the other 2 ones for ezscriptmonitor), so that I can add them |
Contributor
|
Why do you call on me in this one, I'm not even part of the discussion here :) |
ghost
assigned
Contributor
Author
|
@andrerom oups sorry, as you were involved in another pull request for ezscriptmonitor, I thought you were the one that could merge the pull request :) @glye have you the authority to merge all the pull requests for ezscriptmonitor ? if yes, tell me if some elements are missing for those pull so that I can correct them |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It's possible to invoke ezscriptmonitor with a big big command line, but if the command is longer than 2000, it will be silently cut by the database (length for this command has been increased from 255 to 2000 with #8, but whatever the limit is, even huge, protection is required)
When the cronjob executes this command, it will execute a command, that has been cut just after 2000 chars...
So with a command like "./prog --command='echo "[massive spaces]"; rm -rf /' --scriptid=4"...
Well... you know... :)