We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The suggested configuration is not secure:
^scp -p( -d)? -t( --)? /srv/reprepro/incoming(/[^ /]*)?$ ^chmod 0644 /srv/reprepro/incoming/[^ /]*$ ^reprepro ( -V)? -b /srv/reprepro processincoming foobar$
The first and second regex can be abused to execute arbitrary commands:
SSH_ORIGINAL_COMMAND='scp -p -t /srv/reprepro/incoming/&echo owned' /usr/lib/restricted-ssh-commands test.conf
where a TAB is used instead of spaces between echo and owned.
echo
owned
/ is blacklisted but a rm -rf / can be executed using $(printf "\x2f") for example.
/
rm -rf /
$(printf "\x2f")
The documentation should probably warn about the dangers of accepting TAB CR LF $ "" '' `` & ; and so on in the regex.
The text was updated successfully, but these errors were encountered:
Bug report in Debian: https://bugs.debian.org/876392
Sorry, something went wrong.
Thanks for reporting the bug.
4f7e1b8
Can you review the man page changes in commit 4f7e1b8? I will prepare a new release if you are happy with the docs.
I think including . in the pattern allows you to use /srv/reprepro/incoming/.. ;) and escape into /srv/reprepro/. Apart from that it looks good.
.
/srv/reprepro/incoming/..
/srv/reprepro/
No branches or pull requests
The suggested configuration is not secure:
The first and second regex can be abused to execute arbitrary commands:
where a TAB is used instead of spaces between
echo
andowned
./
is blacklisted but arm -rf /
can be executed using$(printf "\x2f")
for example.The documentation should probably warn about the dangers of accepting TAB CR LF $ "" '' `` & ; and so on in the regex.
The text was updated successfully, but these errors were encountered: