mgt_cli: Don't pass unknown commands to the child

Since mgt is aware of all known cli commands, unknown commands should be blocked by mgt and not forwarded to the child process to prevent any malicious command smuggling (using quotes for example).
varnishcache · Nov 10, 2023 · 5ac900a · 5ac900a
1 parent be95bc5
commit 5ac900a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/bin/varnishd/mgt/mgt_cli.c b/bin/varnishd/mgt/mgt_cli.c
@@ -185,7 +185,7 @@ mcf_askchild(struct cli *cli, const char * const *av, void *priv)
 	}
 
 	cmd = mgt_cmd_lookup(av[1]);
-	if (cmd != NULL && CMD_INTERNAL(cmd)) {
+	if (cmd == NULL || CMD_INTERNAL(cmd)) {
 		VCLI_Out(cli, "Unknown request.\nType 'help' for more info.\n");
 		VCLI_SetResult(cli, CLIS_UNKNOWN);
 		return;

diff --git a/bin/varnishtest/tests/b00008.vtc b/bin/varnishtest/tests/b00008.vtc
@@ -49,3 +49,5 @@ varnish v1 -cliexpect 60 "param.show first_byte_timeout"
 varnish v1 -cliok "param.set cli_limit 128"
 
 varnish v1 -clierr 201 "param.show"
+
+varnish v1 -clierr 101 "\"vcl.use foo\""