> On Feb 10, 2017, at 5:02 PM, Jiang Yan Xu <[email protected]> wrote: > > > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56527/ > > On February 10th, 2017, 10:11 a.m. PST, James Peach wrote: > > src/common/validation.cpp (Diff revision 1) > namespace mesos { > 42 > id == string{os::HOME_DIRECTORY}) { > '~' is a bad choice for a ID, but by itself it is not a security issue. You > ought to check for id[0] != '~' (or just ban it anywhere in the string). > "~" is "by itself" as much as a security issue as ".." right?
Yep you are right, I forgot that case :) > but yeah I overlooked other forms of Tilde-Expansion. As jpeach pointed out > offline, perhaps instead of disallowing certain charaters, it's easier to > only allow certain chars. We should discuss with the community on that > though. I'll drop "~" for now. > > - Jiang Yan > > > On February 9th, 2017, 11:05 p.m. PST, Jiang Yan Xu wrote: > > Review request for mesos and James Peach. > By Jiang Yan Xu. > Updated Feb. 9, 2017, 11:05 p.m. > > Bugs: MESOS-7086 > Repository: mesos > Description > > - Such IDs should lead to surprising or even dangerous agent side > directory structure. > Testing > > make check. > Diffs > > src/common/validation.cpp (0f1a02286d8431acfee6136e8ada49b0ac746897) > src/tests/master_validation_tests.cpp > (0c2649089d7fd29eb021ac75c71e6a74368577dc) > src/tests/slave_validation_tests.cpp > (3d17799ed04951fb56524db0f5d89347192300b2) > View Diff
