[
https://issues.apache.org/jira/browse/THRIFT-3893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15414064#comment-15414064
]
Jens Geyer commented on THRIFT-3893:
------------------------------------
Escaping against whitelist sounds like producing problems. Proper escaping is
probably more applicable. The other solution would be to just have the
generator generate properly layouted source code, eliminating the need for the
system() call at all.
> Command injection in format_go_output
> -------------------------------------
>
> Key: THRIFT-3893
> URL: https://issues.apache.org/jira/browse/THRIFT-3893
> Project: Thrift
> Issue Type: Bug
> Components: Go - Compiler
> Affects Versions: 0.9.3
> Reporter: Felix Groebert
> Labels: security
> Original Estimate: 2m
> Remaining Estimate: 2m
>
> format_go_output runs gofmt on a file_path which is derived from the service
> name. If a malicious user is able to provide a service name to a framework
> invoking thrift, a user-supplied service name could lead to shell command
> injection.
> A potential fix would be to escaping on the file_path or ensuring that it
> adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
