[jira] [Commented] (MSHARED-297) Commandline class shell injection vulnerabilities
[
https://issues.apache.org/jira/browse/MSHARED-297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17161054#comment-17161054
]
Dennis Lundberg commented on MSHARED-297:
-
Can this issue be closed now?
> Commandline class shell injection vulnerabilities
> -
>
> Key: MSHARED-297
> URL: https://issues.apache.org/jira/browse/MSHARED-297
> Project: Maven Shared Components
> Issue Type: Bug
> Components: maven-shared-utils
>Reporter: Charles Duffy
>Priority: Critical
> Labels: SECURITY
> Attachments: use-no-shell-r2.patch
>
>
> The Commandline class can emit double-quoted strings without proper escaping,
> allowing shell injection attacks.
> The BourneShell class should unconditionally single-quote emitted strings
> (including the name of the command itself being quoted), with {{'"'"'}} used
> for embedded single quotes, for maximum safety across shells implementing a
> superset of POSIX quoting rules.
> An appropriate fix has been built and applied against PLXUTILS; that patch is
> submitted here in the hope that it will be useful, though it is not expected
> to apply to the maven-shared-utils codebase without modification.
> See PLXUTILS-161 for history/discussion.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (MSHARED-297) Commandline class shell injection vulnerabilities
[
https://issues.apache.org/jira/browse/MSHARED-297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17142457#comment-17142457
]
Hudson commented on MSHARED-297:
Build succeeded in Jenkins: Maven TLP » maven-shared-utils » master #87
See
https://builds.apache.org/job/maven-box/job/maven-shared-utils/job/master/87/
> Commandline class shell injection vulnerabilities
> -
>
> Key: MSHARED-297
> URL: https://issues.apache.org/jira/browse/MSHARED-297
> Project: Maven Shared Components
> Issue Type: Bug
> Components: maven-shared-utils
>Reporter: Charles Duffy
>Priority: Critical
> Labels: SECURITY
> Attachments: use-no-shell-r2.patch
>
>
> The Commandline class can emit double-quoted strings without proper escaping,
> allowing shell injection attacks.
> The BourneShell class should unconditionally single-quote emitted strings
> (including the name of the command itself being quoted), with {{'"'"'}} used
> for embedded single quotes, for maximum safety across shells implementing a
> superset of POSIX quoting rules.
> An appropriate fix has been built and applied against PLXUTILS; that patch is
> submitted here in the hope that it will be useful, though it is not expected
> to apply to the maven-shared-utils codebase without modification.
> See PLXUTILS-161 for history/discussion.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
