EchoPingHttp probe should probably escape shell metachars in url

Question

EchoPingHttp probe should probably escape shell metachars in url

miiichael opened this issue 3 years ago · 7 comments

While switching a probe from curl to echopinghttp I noticed that I needed to escape semicolons in echoping's url parameter (but not curl's). At the very least, this is inconsistent behaviour, and at worst results in unintended arbitrary code execution when using echoping-based probes.

Debian smokeping 2.7.3-2.

miiichael commented 2 years ago

Sigh.

Answer 1 · 2021-08-11T04:31:43.000Z

This issue has become stale and will be closed automatically within 7 days. Comment on the issue to keep it alive.

Answer 2 · 2021-08-17T12:07:50.000Z

Here, have a comment.

Answer 3 · 2021-11-23T04:46:08.000Z

Pre-emptive bump. *glares at stalebot*

Answer 4 · 2022-01-13T03:06:35.000Z

hi @miiichael , can you elaborate more on this? I'd like to know if the code execution is reproducible and I think it would help to resolve this issue.

Answer 5 · 2022-01-13T04:53:20.000Z

I think the summary is: EchoPingHttp's url value is passed naked to a shell. I feel that the value should instead be protected from interference by it.

Consider these two config fragments:

++ github-curl

menu = github (curl)
probe = Curl
host = github.com
urlformat = https://%host%/?foo=bar;touch /tmp/foo;

++ github-echopinghttp

menu = github (echopinghttp)
probe = EchoPingHttp
host = github.com
url = /?foo=bar;touch /tmp/foo;

At first glance you'd consider them to be equivalent, except they're not. :P

Answer 6 · 2022-04-14T04:31:14.000Z

This issue has become stale and will be closed automatically within 7 days. Comment on the issue to keep it alive.