logger: Wrap `escapeshellarg` around it
Closed this issue · 1 comments
Hi,
I just saw that these two functions:
- https://github.com/limetech/webgui/blob/9f4373ace5bfc3d2bbb9c9d6360cfd17e9c7fb78/plugins/dynamix.plugin.manager/scripts/language#L153
- https://github.com/limetech/webgui/blob/9f4373ace5bfc3d2bbb9c9d6360cfd17e9c7fb78/plugins/dynamix.plugin.manager/scripts/plugin#L286
could be easily tricked (correct me if Iam wrong) to execute code which is not meant to be executed...?
I mean this line: https://github.com/limetech/webgui/blob/9f4373ace5bfc3d2bbb9c9d6360cfd17e9c7fb78/plugins/dynamix.plugin.manager/scripts/plugin#L467
If the variable contains some special chars, it could be treated as seperate command, when getting logged. It may be a valid command for the raw execution via run but Maybe one wants to wrap those variables into escapeshellarg?
Either at logger or just on those lines, processing those inputs.
My idea would be:
Index: plugins/dynamix.plugin.manager/scripts/language
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/plugins/dynamix.plugin.manager/scripts/language b/plugins/dynamix.plugin.manager/scripts/language
--- a/plugins/dynamix.plugin.manager/scripts/language (revision 9f4373ace5bfc3d2bbb9c9d6360cfd17e9c7fb78)
+++ b/plugins/dynamix.plugin.manager/scripts/language (date 1670176126440)
@@ -151,7 +151,7 @@
// Deal with logging message.
//
function logger($message) {
- shell_exec("logger $message");
+ shell_exec("logger ".escapeshellarg($message));
}
// Interpret a language file
Index: plugins/dynamix.plugin.manager/scripts/plugin
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/plugins/dynamix.plugin.manager/scripts/plugin b/plugins/dynamix.plugin.manager/scripts/plugin
--- a/plugins/dynamix.plugin.manager/scripts/plugin (revision 9f4373ace5bfc3d2bbb9c9d6360cfd17e9c7fb78)
+++ b/plugins/dynamix.plugin.manager/scripts/plugin (date 1670176025805)
@@ -284,7 +284,7 @@
// Deal with logging message.
//
function logger($message) {
- shell_exec("logger $message");
+ shell_exec("logger ".escapeshellarg($message));
}
// Interpret a plugin file
If Iam not right, please correct me.
Stupid me...
The actual command never gets logged and the File paths itself only contains a file path.
Nevermind: For debugging purposes, I would include the actual command for the log. I would create a PR for this.