[jira] [Commented] (HADOOP-8456) Support spaces in user names and group names in results returned via winutils

Fri, 26 Oct 2012 15:15:14 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13485242#comment-13485242
 ] 

Ivan Mitic commented on HADOOP-8456:
------------------------------------

bq. Quotes aren't adequate if the shell is involved. Ex. A typical exploit is 
to pass constructs like ";malicious-cmd;" or $(malicious-cmd). If the shell is 
completely bypassed, as it should be, the list of args can be passed through 
execve with no quotes. The shell should never be involved in command execution 
unless you actually want it to possibly mangle your parameters which is almost 
never the case.
I see, thanks for clarifying. I don't think we have this problem here as 
windows shell is not involved. The quoted strings go thru the following stack: 
Java#ProcessBuilder->Win32#CreateProcess->Winutils.exe#argc/argv. On the other 
hand, we have to place username under quotes, as it won't be passed as a single 
argument to underlying winutils exe. For example:
{{winutils groups user name}}
does not work (4 args), while
{{winutils groups "user name"}}
works. Make sense, or am I missing something?
                
> Support spaces in user names and group names in results returned via winutils
> -----------------------------------------------------------------------------
>
>                 Key: HADOOP-8456
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8456
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: native
>    Affects Versions: 1-win
>            Reporter: Chuan Liu
>            Assignee: Ivan Mitic
>            Priority: Minor
>         Attachments: HADOOP-8456.branch-1-win.spaces.patch
>
>
> When parsing results returned by ‘ls’, we made implicit assumption that user 
> and group names cannot contain spaces. On Linux, spaces are not allowed in 
> user names and group names. This is not the case for Windows. We need to find 
> a way to fix the problem for Windows.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to