[
https://issues.apache.org/jira/browse/STORM-194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869124#comment-13869124
]
Derek Dagit commented on STORM-194:
-----------------------------------
In this case we are going to the os without using a shell. The program to be
run is hard-coded to 'java' (both before and after the patch). An attack using
backticks as part of the topology name would result in the backticks being
passed literally as part of the argument to java.
It would be possible to use the topology name to pass additional options to
java. We already facilitate this through topology.worker.childopts.
Non-options would be treated as arguments, and additional arguments would cause
the worker to exit immediately (wrong number of arguments).
> Workers don't launch properly when the topology name has a space in it
> ----------------------------------------------------------------------
>
> Key: STORM-194
> URL: https://issues.apache.org/jira/browse/STORM-194
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Reporter: Derek Dagit
> Assignee: Derek Dagit
>
> From https://github.com/nathanmarz/storm/issues/779
> Currently the storm-id field is made of the topologyName (unmodified as well
> as a UID and a timestamp).
> The storm-id used when launching a worker cannot have spaces in it because of
> how the process is started (command line ares are not escaped or passed as an
> array).
> https://github.com/nathanmarz/storm/blob/moved-to-apache/storm-core/src/clj/backtype/storm/daemon/supervisor.clj#L436
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
