** Changed in: mahara/22.04
Assignee: (unassigned) => Robert Lyon (robertl-9)
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1949527
Title:
Avoid command injection when PDF bulk export is enabled
Status in Mahara:
Fix Committed
Status in Mahara 20.10 series:
Fix Released
Status in Mahara 21.04 series:
Fix Released
Status in Mahara 21.10 series:
Fix Released
Status in Mahara 22.04 series:
Fix Committed
Bug description:
The patch
https://git.mahara.org/mahara/mahara/-/commit/6c15801d04887e482b1f490d8acf6f7c52661eea
doesn't avoid a filename with backticks and a simple command like
`shutdown` could still be executed.
I have to say I didn't test it
though but I wanted to give a heads-up. I think exploitation is fairly
limited now but it could still be used as a denial of service.
I would highly recommend using a whitelist instead of trying to remove
all special characters, something like preg_replace('/[^a-zA-Z0-9_]/',
'-', ...) would make it easier and wouldn't require an exhaustive list
of all potentially malicious characters.
All the best,
Dominic
This is a follow on from Bug 1942903
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1949527/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
