-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restriction overrun via simple trick #147
Comments
Hi @Oloremo! Thanks for reporting these major security issues. I am unfortunately away from my PC until tomorrow night. I'll do my best to work on this asap. Cheers! |
Please, note: this issue is not about command chains (
|
I can confirm this, too, with latest dev version:
|
By the way, I couldn't reproduce this with
|
@omega8cc it is because of
|
@Snawoot Ah, right. Thanks for the correction!
|
…s#148, Closes ghantoos#147) Both issues ghantoos#148 and ghantoos#147 use the same vulnerability in the parser, that ignored the quoted strings. Parsing only the rest of the line for security issues. This is a major security bug. Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot) for reporting this!!
The fix works fine for me, thanks!
|
…loses #147, Closes #149) Both issues #148 and #147 use the same vulnerability in the parser, that ignored the quoted strings. Parsing only the rest of the line for security issues. This is a major security bug. This commits also corrects a previous ommited correction regarding the control charaters, that permitted to escape from lshell. Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot) for reporting this!!
Closes #148, Closes #147, Closes #149) Both issues #148 and #147 use the same vulnerability in the parser, that ignored the quoted strings. Parsing only the rest of the line for security issues. This is a major security bug. This commits also corrects a previous ommited correction regarding the control charaters, that permitted to escape from lshell. Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot) for reporting this!!
If you run something like
echo && 'bash'
orecho || 'bash'
- it will exec bash command.This can be avoided by adding && and || to forbidden list, but still.
Env:
Ubuntu 14.04
lshell-0.9.16-1
The text was updated successfully, but these errors were encountered: