-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for server_password management #60
Conversation
65f1f33
to
bdfa2dc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @smortex and thank you for the PR.
Some inline comments added. Can you have a look ?
c9e6011
to
7d0adb6
Compare
7d0adb6
to
8f31f8d
Compare
The fix provided by voxpupuli#53 is incomplete: using shell redirections and control operators need to switch to the 'shell' exec provider, which in turn allows command injections. Moreover, as explained in voxpupuli#52, murmurd exists with an exit code of 1 on success… but also on failure. Attempt to improve the situation by switching to the shell provider, shell escaping the password thanks to stdlib's shell_escape function, and grep the stderr output of murmurd for a success message.
8f31f8d
to
d90e2da
Compare
Looks like I added the stdlib requirements to the wrong section in metadata.json (requirements instead of dependencies)… I just pushed a fix! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Pull Request (PR) description
The fix provided by #53 is incomplete: using shell redirections and control operators need to switch to the 'shell' exec provider, which in turn allows command injections. Moreover, as explained in #52, murmurd exists with an exit code of 1 on success… but also on failure.
Attempt to improve the situation by switching to the shell provider, shell escaping the password thanks to stdlib's shell_escape function, and grep the stderr output of murmurd for a success message.
This Pull Request (PR) fixes the following issues
n/a