Bug#572144: UNS: Bug#572144: lshell: The default configuration allows run every system command
tags 572144 + pending thanks On Tue, Mar 2, 2010 at 13:08, Maximiliano Curia m...@debian.org wrote: Hola Ignace Mouzannar! Bonjour Maximiliano, El 01/03/2010 a las 23:42 escribiste: Hello Piotr, On Mon, Mar 1, 2010 at 22:11, Piotr Minkina likemandr...@o2.pl wrote: In example I can run echo $(/bin/sh) or echo $(/bin/su), or every other command. Thank you for reporting this. You are absolutely right that the default configuration of lshell permits this, and it should not. I have already corrected this bug in the upcoming version of lshell. A temporary fix would be to add $ in the forbidden list: ---8---8--- ## a list of forbidden character or commands forbidden : [';', '', '|','','', '$'] ---8---8--- I am working on getting the new version out very soon. Please, ping me when it's ready so I can check it, and upload it. I have just uploaded the new version of lshell (0.9.9) on m.d.n [1]. Thank you for your time and support. Ignace M [1] The package can be found on mentors.debian.net: - URL: http://mentors.debian.net/debian/pool/main/l/lshell - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free - dget http://mentors.debian.net/debian/pool/main/l/lshell/lshell_0.9.9-1.dsc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#572144: UNS: Bug#572144: lshell: The default configuration allows run every system command
On Sun, Mar 7, 2010 at 12:57, Ignace Mouzannar mouzan...@gmail.com wrote: I have just uploaded the new version of lshell (0.9.9) on m.d.n. As a minor bug was filled on the 0.9.9 version of lshell [1] , I have released a new version (0.9.10) correcting it. The new package has been uploaded on m.d.n [2]. Sorry for the inconvenience. Regards, Ignace M [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572973 [2] The package can be found on mentors.debian.net: - URL: http://mentors.debian.net/debian/pool/main/l/lshell - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free - dget http://mentors.debian.net/debian/pool/main/l/lshell/lshell_0.9.10-1.dsc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#572144: UNS: Bug#572144: lshell: The default configuration allows run every system command
Hola Ignace Mouzannar! El 01/03/2010 a las 23:42 escribiste: Hello Piotr, On Mon, Mar 1, 2010 at 22:11, Piotr Minkina likemandr...@o2.pl wrote: In example I can run echo $(/bin/sh) or echo $(/bin/su), or every other command. Thank you for reporting this. You are absolutely right that the default configuration of lshell permits this, and it should not. I have already corrected this bug in the upcoming version of lshell. A temporary fix would be to add $ in the forbidden list: ---8---8--- ## a list of forbidden character or commands forbidden : [';', '', '|','','', '$'] ---8---8--- I am working on getting the new version out very soon. Please, ping me when it's ready so I can check it, and upload it. -- La duración de un minuto depende de que lado del baño estés. -- Ley de la Relatividad (Burke) Saludos /\/\ /\ `/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org