[jira] [Commented] (THRIFT-3893) Command injection in format_go_output

ASF GitHub Bot (JIRA) Thu, 15 Sep 2016 20:54:07 -0700

    [ 
https://issues.apache.org/jira/browse/THRIFT-3893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15495294#comment-15495294
 ]


ASF GitHub Bot commented on THRIFT-3893:
----------------------------------------

Github user jfarrell commented on the issue:

    https://github.com/apache/thrift/pull/1061
  
    committed in 2007783e


> Command injection in format_go_output
> -------------------------------------
>
>                 Key: THRIFT-3893
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3893
>             Project: Thrift
>          Issue Type: Bug
>          Components: Go - Compiler
>    Affects Versions: 0.9.3
>            Reporter: Felix Groebert
>            Assignee: Jens Geyer
>              Labels: security
>             Fix For: 0.10.0
>
>
> format_go_output runs gofmt on a file_path which is derived from the service 
> name. If a malicious user is able to provide a service name to a framework 
> invoking thrift, a user-supplied service name could lead to shell command 
> injection.
> A potential fix would be to escaping on the file_path or ensuring that it 
> adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (THRIFT-3893) Command injection in format_go_output

Reply via email to