[Libguestfs] [nbdkit PATCH] iso: Shell-quote an alternative isoprog
Eric Blake
eblake at redhat.com
Wed Jun 26 17:16:02 UTC 2019
On 6/26/19 11:53 AM, Eric Blake wrote:
> Otherwise, a user can do things like "nbdkit iso . prog='date;prog'"
> to run unintended commands in addition to their alternative isoprog.
On the other hand, allowing: prog='isoprog --parameter' may be
intentional, and I just broke that. Maybe I need to revert this?
> This is not a CVE (since nbdkit isn't running with any more privileges
> than the user running those commands themselves), but shows the
> frailty of relying on the shell to parse subsidiary commands rather
> than exec()ing them directly. This patch also doesn't resolve the
> fact that we are also passing params= through shell parsing (if we
> don't like that, we should consider changing the interface to make the
> user write param='-V' param='My Disk Image' and use shell_quote() over
> each param, rather than the current params='-V "My Disk Image"'), but
> does try to enhance the docs to point it out with more clarity.
>
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
>
> I'm pushing this now, but we may want to reconsider the iso plugin
> exposing params= that is intentionally designed for another round of
> shell parsing, as a followup patch. Ideally, we want to avoid ever
> passing user-supplied data through another shell invocation without
> first re-quoting it.
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20190626/868763ee/attachment.sig>
More information about the Libguestfs
mailing list