[jira] [Commented] (MSHARED-297) Commandline class shell injection vulnerabilities
[ https://issues.apache.org/jira/browse/MSHARED-297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17161054#comment-17161054 ] Dennis Lundberg commented on MSHARED-297: - Can this issue be closed now? > Commandline class shell injection vulnerabilities > - > > Key: MSHARED-297 > URL: https://issues.apache.org/jira/browse/MSHARED-297 > Project: Maven Shared Components > Issue Type: Bug > Components: maven-shared-utils >Reporter: Charles Duffy >Priority: Critical > Labels: SECURITY > Attachments: use-no-shell-r2.patch > > > The Commandline class can emit double-quoted strings without proper escaping, > allowing shell injection attacks. > The BourneShell class should unconditionally single-quote emitted strings > (including the name of the command itself being quoted), with {{'"'"'}} used > for embedded single quotes, for maximum safety across shells implementing a > superset of POSIX quoting rules. > An appropriate fix has been built and applied against PLXUTILS; that patch is > submitted here in the hope that it will be useful, though it is not expected > to apply to the maven-shared-utils codebase without modification. > See PLXUTILS-161 for history/discussion. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MSHARED-297) Commandline class shell injection vulnerabilities
[ https://issues.apache.org/jira/browse/MSHARED-297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17142457#comment-17142457 ] Hudson commented on MSHARED-297: Build succeeded in Jenkins: Maven TLP » maven-shared-utils » master #87 See https://builds.apache.org/job/maven-box/job/maven-shared-utils/job/master/87/ > Commandline class shell injection vulnerabilities > - > > Key: MSHARED-297 > URL: https://issues.apache.org/jira/browse/MSHARED-297 > Project: Maven Shared Components > Issue Type: Bug > Components: maven-shared-utils >Reporter: Charles Duffy >Priority: Critical > Labels: SECURITY > Attachments: use-no-shell-r2.patch > > > The Commandline class can emit double-quoted strings without proper escaping, > allowing shell injection attacks. > The BourneShell class should unconditionally single-quote emitted strings > (including the name of the command itself being quoted), with {{'"'"'}} used > for embedded single quotes, for maximum safety across shells implementing a > superset of POSIX quoting rules. > An appropriate fix has been built and applied against PLXUTILS; that patch is > submitted here in the hope that it will be useful, though it is not expected > to apply to the maven-shared-utils codebase without modification. > See PLXUTILS-161 for history/discussion. -- This message was sent by Atlassian Jira (v8.3.4#803005)