Hi Bogdan, Thanks for the reply! What about the general case, where it's not necessarily $tu that is being used but any user-supplied variable? Would s.escape.common suffice to avoid command injection?
Regards, Erik Den tors 8 sep. 2022 kl 11:07 skrev Bogdan-Andrei Iancu <[email protected]>: > > Hi Erik, > > The $tu is the TO URI, so it should follow the URI syntax, which does > not allow shell specific chars in it (like " ' | > aso). So it should > be safe. Nevertheless, you should force a URI specific parsing using the > {uri} transformation and try to separately push as params the username > and domain - again, just to be safe. > > Regards, > > Bogdan-Andrei Iancu > > OpenSIPS Founder and Developer > https://www.opensips-solutions.com > OpenSIPS Summit 27-30 Sept 2022, Athens > https://www.opensips.org/events/Summit-2022Athens/ > > On 9/7/22 5:39 PM, Erik H wrote: > > Hi! > > > > What are the recommended practices to avoid command injection when > > using the exec module with user-defined variables as arguments? > > > > For example, say we have this code: > > > > exec("/home/.../myscript.sh '$tu'") > > > > (or with whatever user-defined value other than $tu we may want to use) > > > > Would this be vulnerable to command injection, or does OpenSIPS > > recognize that the quoted "$tu" value should be escaped? If it is > > vulnerable, how can we best avoid this? Does it suffice to use > > s.escape.common on the value? > > > > Regards, > > Erik > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
