Felix Groebert created THRIFT-3893:
--------------------------------------
Summary: Command injection in format_go_output
Key: THRIFT-3893
URL: https://issues.apache.org/jira/browse/THRIFT-3893
Project: Thrift
Issue Type: Bug
Components: Go - Compiler
Affects Versions: 0.9.3
Reporter: Felix Groebert
format_go_output runs gofmt on a file_path which is derived from the service
name. If a malicious user is able to provide a service name to a framework
invoking thrift, a user-supplied service name could lead to shell command
injection.
A potential fix would be to escaping on the file_path or ensuring that it
adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
