Commit a58f6780 authored by Ad Schellevis's avatar Ad Schellevis

(configd) escape shell parameters

parent ca7c0ffa
...@@ -418,15 +418,20 @@ class Action(object): ...@@ -418,15 +418,20 @@ class Action(object):
# use command execution parameters in action parameter template # use command execution parameters in action parameter template
# use quotes on parameters to prevent code injection # use quotes on parameters to prevent code injection
if script_command.count('%s') > len(parameters): if script_command.count('%s') > len(parameters):
# script command accepts more parameters then given, full with empty parameters # script command accepts more parameters then given, fill with empty parameters
for i in range(script_command.count('%s')-len(parameters)): for i in range(script_command.count('%s')-len(parameters)):
parameters.append("") parameters.append("")
elif len(parameters) > script_command.count('%s'): elif len(parameters) > script_command.count('%s'):
# parameters then expected, fail execution # parameters then expected, fail execution
return 'Parameter mismatch' return 'Parameter mismatch'
# force escape of shell exploitable characters for all user parameters
for escape_char in ['`','$','!','(',')','|']:
for i in range(len(parameters[0:script_command.count('%s')])):
parameters[i] = parameters[i].replace(escape_char,'\\%s'%escape_char)
script_command = script_command % tuple(map(lambda x: '"'+x.replace('"', '\\"')+'"', script_command = script_command % tuple(map(lambda x: '"'+x.replace('"', '\\"')+'"',
parameters[0:script_command.count('%s')])) parameters[0:script_command.count('%s')]))
if self.type.lower() == 'script': if self.type.lower() == 'script':
# execute script type command # execute script type command
try: try:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment