[Libguestfs] [nbdkit PATCH] iso: Shell-quote an alternative isoprog
Richard W.M. Jones
rjones at redhat.com
Wed Jun 26 17:18:14 UTC 2019
On Wed, Jun 26, 2019 at 12:16:02PM -0500, Eric Blake wrote:
> On 6/26/19 11:53 AM, Eric Blake wrote:
> > Otherwise, a user can do things like "nbdkit iso . prog='date;prog'"
> > to run unintended commands in addition to their alternative isoprog.
>
> On the other hand, allowing: prog='isoprog --parameter' may be
> intentional, and I just broke that. Maybe I need to revert this?
This is fine, because they can use params for that. I think this
patch makes sense, so let's leave it.
Rich.
> > This is not a CVE (since nbdkit isn't running with any more privileges
> > than the user running those commands themselves), but shows the
> > frailty of relying on the shell to parse subsidiary commands rather
> > than exec()ing them directly. This patch also doesn't resolve the
> > fact that we are also passing params= through shell parsing (if we
> > don't like that, we should consider changing the interface to make the
> > user write param='-V' param='My Disk Image' and use shell_quote() over
> > each param, rather than the current params='-V "My Disk Image"'), but
> > does try to enhance the docs to point it out with more clarity.
> >
> > Signed-off-by: Eric Blake <eblake at redhat.com>
> > ---
> >
> > I'm pushing this now, but we may want to reconsider the iso plugin
> > exposing params= that is intentionally designed for another round of
> > shell parsing, as a followup patch. Ideally, we want to avoid ever
> > passing user-supplied data through another shell invocation without
> > first re-quoting it.
> >
>
>
> --
> Eric Blake, Principal Software Engineer
> Red Hat, Inc. +1-919-301-3226
> Virtualization: qemu.org | libvirt.org
>
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://www.redhat.com/mailman/listinfo/libguestfs
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
More information about the Libguestfs
mailing list