[ https://issues.apache.org/jira/browse/MESOS-7041?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gavin updated MESOS-7041: ------------------------- Comment: was deleted (was: www.rtat.net) > Default CommandInfo usage to not use the shell. > ----------------------------------------------- > > Key: MESOS-7041 > URL: https://issues.apache.org/jira/browse/MESOS-7041 > Project: Mesos > Issue Type: Bug > Components: security > Reporter: James Peach > Priority: Major > > One of the usage patterns of {{CommandInfo}} is to carry commands from > isolators to launchers. The default (and easiest) way to use this is > {{launchInfo.add_pre_exec_commands()->set_value(...)}}, which invokes the > shell. To reduce the risk of shell injection attacks all isolators should > default to not using the shell, which implies that this should be the > easiest/default usage pattern. -- This message was sent by Atlassian JIRA (v7.6.3#76005)