TO be honest I don;t know for sure what chars/sequences has to be
escaped being shell safe. The s.escape.common may not be enough, but you
can use theĀ re.subst [1] to manually escape more stuff
[1] https://www.opensips.org/Documentation/Script-Tran-3-2#re.subst
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/9/22 11:57 AM, Erik H wrote:
Hi Bogdan,
Thanks for the reply! What about the general case, where it's not
necessarily $tu that is being used but any user-supplied variable?
Would s.escape.common suffice to avoid command injection?
Regards,
Erik
Den tors 8 sep. 2022 kl 11:07 skrev Bogdan-Andrei Iancu <[email protected]>:
Hi Erik,
The $tu is the TO URI, so it should follow the URI syntax, which does
not allow shell specific chars in it (like " ' | > aso). So it should
be safe. Nevertheless, you should force a URI specific parsing using the
{uri} transformation and try to separately push as params the username
and domain - again, just to be safe.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 5:39 PM, Erik H wrote:
Hi!
What are the recommended practices to avoid command injection when
using the exec module with user-defined variables as arguments?
For example, say we have this code:
exec("/home/.../myscript.sh '$tu'")
(or with whatever user-defined value other than $tu we may want to use)
Would this be vulnerable to command injection, or does OpenSIPS
recognize that the quoted "$tu" value should be escaped? If it is
vulnerable, how can we best avoid this? Does it suffice to use
s.escape.common on the value?
Regards,
Erik
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
