** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1949527
Title: Avoid command injection when PDF bulk export is enabled Status in Mahara: Fix Committed Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Status in Mahara 21.10 series: Fix Released Status in Mahara 22.04 series: Fix Committed Bug description: The patch https://git.mahara.org/mahara/mahara/-/commit/6c15801d04887e482b1f490d8acf6f7c52661eea doesn't avoid a filename with backticks and a simple command like `shutdown` could still be executed. I have to say I didn't test it though but I wanted to give a heads-up. I think exploitation is fairly limited now but it could still be used as a denial of service. I would highly recommend using a whitelist instead of trying to remove all special characters, something like preg_replace('/[^a-zA-Z0-9_]/', '-', ...) would make it easier and wouldn't require an exhaustive list of all potentially malicious characters. All the best, Dominic This is a follow on from Bug 1942903 To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1949527/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
