Skip to content

Commit

Permalink
Update SECURITY.md
Browse files Browse the repository at this point in the history 
update to match NASTY_METACHARS in src/nrpe.c

5bf9b20 - adds \r\n
5aed512 - removes "
  • Loading branch information
@glensc
glensc authored and John C. Frickson committed Sep 26, 2016
1 parent cd319e3 commit cb5300c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ To help prevent some nasty things from being done by evil
clients, the following metacharacters are not allowed
in client command arguments:

| ` & > < ' " \ [ ] { } ; !
| ` & > < ' \ [ ] { } ; ! \r \n

This comment has been minimized.

Sign in to view

Copy link
@sebastic

sebastic Dec 8, 2016
edited
Loading

Contributor

The exclamation mark is not actually included in NASTY_METACHARS:

#define NASTY_METACHARS	"|`&><'\\[]{};\r\n"

https://github.com/NagiosEnterprises/nrpe/blob/master/src/nrpe.c#L64
https://github.com/NagiosEnterprises/nrpe/blob/maint/src/nrpe.c#L64

Any client request which contains the above mentioned metachars
is discarded.
Expand Down

0 comments on commit cb5300c

Please sign in to comment.