From 5ac900a8413e52c756f9cb0b18e4f24a66094f50 Mon Sep 17 00:00:00 2001
From: Walid Boudebouda <walid.boudebouda@gmail.com>
Date: Mon, 6 Nov 2023 11:14:10 +0100
Subject: [PATCH] mgt_cli: Don't pass unknown commands to the child

Since mgt is aware of all known cli commands, unknown commands should
be blocked by mgt and not forwarded to the child process to prevent
any malicious command smuggling (using quotes for example).
---
 bin/varnishd/mgt/mgt_cli.c       | 2 +-
 bin/varnishtest/tests/b00008.vtc | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/bin/varnishd/mgt/mgt_cli.c b/bin/varnishd/mgt/mgt_cli.c
index c3b27d49819..c58d1af1f46 100644
--- a/bin/varnishd/mgt/mgt_cli.c
+++ b/bin/varnishd/mgt/mgt_cli.c
@@ -185,7 +185,7 @@ mcf_askchild(struct cli *cli, const char * const *av, void *priv)
 	}
 
 	cmd = mgt_cmd_lookup(av[1]);
-	if (cmd != NULL && CMD_INTERNAL(cmd)) {
+	if (cmd == NULL || CMD_INTERNAL(cmd)) {
 		VCLI_Out(cli, "Unknown request.\nType 'help' for more info.\n");
 		VCLI_SetResult(cli, CLIS_UNKNOWN);
 		return;
diff --git a/bin/varnishtest/tests/b00008.vtc b/bin/varnishtest/tests/b00008.vtc
index 755d6e4b430..4321ea17183 100644
--- a/bin/varnishtest/tests/b00008.vtc
+++ b/bin/varnishtest/tests/b00008.vtc
@@ -49,3 +49,5 @@ varnish v1 -cliexpect 60 "param.show first_byte_timeout"
 varnish v1 -cliok "param.set cli_limit 128"
 
 varnish v1 -clierr 201 "param.show"
+
+varnish v1 -clierr 101 "\"vcl.use foo\""