James DeFelice created MESOS-5388:
-------------------------------------
Summary: MesosContainerizerLaunch flags execute arbitrary commands
via shell
Key: MESOS-5388
URL: https://issues.apache.org/jira/browse/MESOS-5388
Project: Mesos
Issue Type: Bug
Reporter: James DeFelice
For example, the docker volume isolator's containerPath is appended (without
sanitation) to a command that's executed in this manner. As such, it's possible
to inject arbitrary shell commands to be executed by mesos.
https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206
Perhaps instead of strings these commands could/should be sent as string arrays
that could be passed as argv arguments w/o shell interpretation?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
