New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'&' in password broke the local.py command line #61

Closed
MyonKeminta opened this Issue Jan 27, 2018 · 7 comments

Comments

Projects
None yet
2 participants
@MyonKeminta

MyonKeminta commented Jan 27, 2018

Ubuntu 16.04

Version: 0.2.0-alpha-4

My password contains a &, which broke the execution command line of local.py of ssr.

Maybe it's better to wrap the password with a pair of single quote marks, at least on Linux.

Or, maybe there exist some way to pass command line args directly to the process?

Log:

2018-01-27T17:47:35+0800 <debug> main.js:1 (n) run command: python "/home/xxxx/.config/electron-ssr/shadowsocksr/shadowsocks/local.py" -s xxx.xxx.xxx.xxx -p xxxx -k aaaa&bbbb -m xxxx -O xxxx -o xxxx -b 127.0.0.1 -l 1080 --log-file /home/xxxx/.config/electron-ssr/logs/shadowsocksr.log
2018-01-27T17:47:35+0800 <error> events.js:101 (emitOne) /bin/sh: 1: bbbb not found
@erguotou520

This comment has been minimized.

Owner

erguotou520 commented Jan 27, 2018

Yes, good suggestion.

@erguotou520

This comment has been minimized.

Owner

erguotou520 commented Jan 27, 2018

The same with protocolparam and obfs_param

@MyonKeminta

This comment has been minimized.

MyonKeminta commented Jan 27, 2018

....if wrap the password with single quote marks, there may be single quote marks in the password

@erguotou520

This comment has been minimized.

Owner

erguotou520 commented Jan 27, 2018

so what's your suggestion?

@MyonKeminta

This comment has been minimized.

MyonKeminta commented Jan 27, 2018

I saw document of child_process.exec and found:

Note: Never pass unsanitised user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.

I think maybe you can use child_process.execFile instead.

@erguotou520 erguotou520 added the bug label Jan 28, 2018

@erguotou520

This comment has been minimized.

@erguotou520

This comment has been minimized.

Owner

erguotou520 commented Jan 31, 2018

fixed in beta-1 version. Thanks for your report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment