[
https://issues.apache.org/jira/browse/THRIFT-3893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15414115#comment-15414115
]
ASF GitHub Bot commented on THRIFT-3893:
----------------------------------------
GitHub user Jens-G reopened a pull request:
https://github.com/apache/thrift/pull/1061
THRIFT-3893 Command injection in format_go_output
Client: Go
Patch: Jens Geyer
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/Jens-G/thrift THRIFT-3893
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/thrift/pull/1061.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1061
----
commit 7e4a23293ce170ccdffc91e0a390e428ce03ceec
Author: Jens Geyer <[email protected]>
Date: 2016-08-09T19:04:53Z
THRIFT-3893 Command injection in format_go_output
Client: Go
Patch: Jens Geyer
----
> Command injection in format_go_output
> -------------------------------------
>
> Key: THRIFT-3893
> URL: https://issues.apache.org/jira/browse/THRIFT-3893
> Project: Thrift
> Issue Type: Bug
> Components: Go - Compiler
> Affects Versions: 0.9.3
> Reporter: Felix Groebert
> Labels: security
> Original Estimate: 2m
> Remaining Estimate: 2m
>
> format_go_output runs gofmt on a file_path which is derived from the service
> name. If a malicious user is able to provide a service name to a framework
> invoking thrift, a user-supplied service name could lead to shell command
> injection.
> A potential fix would be to escaping on the file_path or ensuring that it
> adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
