Issue #7066 has been updated by Mohamed Lrhazi.
Maybe shellsafe should reject all of the special char listed here: http://en.wikipedia.org/wiki/Shell_injection#Shell_injection `command` will execute command. $(command) will execute command. ; command will execute command, and output result of command. | command will execute command, and output result of command. && command will execute command, and output result of command. || command will execute command, and output result of command. > /home/user/phpguru/.bashrc will overwrite file .bashrc. < /home/user/phpguru/.bashrc will send file .bashrc as input to funnytext. ---------------------------------------- Bug #7066: The shellsafe validator should check for ; https://projects.puppetlabs.com/issues/7066 Author: R.I. Pienaar Status: Accepted Priority: Normal Assignee: Category: SimpleRPC Target version: 1.1.5 Keywords: Branch: Affected mCollective version: A ; in the input string should not be allowed for shellsafe input <pre> foo;rm -rf / </pre> Isn't protected against. Really a more mature approach should be found for the shellsafe validation, perhaps using with Shellwords#escape -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
