Remove legacy plugin hook that presents potential 3rd party security issues #3177
Comments
|
Well, I'm going to see if this plugin is actually used anywhere. Cause I agree. Right now, it's the plugins responsibility to perform any escaping of the arguments, as they can be pretty free form. I would suggest that maybe in 2020, we don't even need this hook. But we have to review it first. |
|
Just finished the audit. I'd be happy to remove this as a bug. The two legacy plugins that used it really were misusing it to modify memory limits for the data collectors and not really messing with command line arguments. In other words, they were hacks by the uber-hacker himself, he who shall remain nameless. |
cigamit
changed the title
cigamit
added a commit
that referenced
this issue
Jan 11, 2020
Remove legacy plugin hook that presents potential 3rd party security issues
|
Thank you for the quick reaction. We'll remove it from our packages too |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We (SUSE) are currently reviewing all cron jobs we package for security issues. cacti packages a cron job and that lead us to have a look. During this I noticed that
in poller.php
575 $extra_args = api_plugin_hook_function('poller_command_args', $extra_args);
allows plugins to add arguments to the commands being executed. These arguments are not escaped, so it's left to the plugins to do this. I checked the default plugins and none of them are problematic.
IMHO (and I'm not really familiar with the code base) it might make sense to ensure proper escaping here to ensure defense in depth. Currently the code relies on every plugin getting this right.
The text was updated successfully, but these errors were encountered: