[Libguestfs] [nbdkit PATCH] iso: Shell-quote an alternative isoprog

Richard W.M. Jones rjones at redhat.com
Wed Jun 26 17:18:14 UTC 2019


On Wed, Jun 26, 2019 at 12:16:02PM -0500, Eric Blake wrote:
> On 6/26/19 11:53 AM, Eric Blake wrote:
> > Otherwise, a user can do things like "nbdkit iso . prog='date;prog'"
> > to run unintended commands in addition to their alternative isoprog.
> 
> On the other hand, allowing: prog='isoprog --parameter' may be
> intentional, and I just broke that.  Maybe I need to revert this?

This is fine, because they can use params for that.  I think this
patch makes sense, so let's leave it.

Rich.

> > This is not a CVE (since nbdkit isn't running with any more privileges
> > than the user running those commands themselves), but shows the
> > frailty of relying on the shell to parse subsidiary commands rather
> > than exec()ing them directly.  This patch also doesn't resolve the
> > fact that we are also passing params= through shell parsing (if we
> > don't like that, we should consider changing the interface to make the
> > user write param='-V' param='My Disk Image' and use shell_quote() over
> > each param, rather than the current params='-V "My Disk Image"'), but
> > does try to enhance the docs to point it out with more clarity.
> > 
> > Signed-off-by: Eric Blake <eblake at redhat.com>
> > ---
> > 
> > I'm pushing this now, but we may want to reconsider the iso plugin
> > exposing params= that is intentionally designed for another round of
> > shell parsing, as a followup patch.  Ideally, we want to avoid ever
> > passing user-supplied data through another shell invocation without
> > first re-quoting it.
> > 
> 
> 
> -- 
> Eric Blake, Principal Software Engineer
> Red Hat, Inc.           +1-919-301-3226
> Virtualization:  qemu.org | libvirt.org
> 




> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://www.redhat.com/mailman/listinfo/libguestfs


-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html




More information about the Libguestfs mailing list