Re: [Libguestfs] [nbdkit PATCH] iso: Shell-quote an alternative isoprog

On 6/26/19 11:53 AM, Eric Blake wrote: > Otherwise, a user can do things like "nbdkit iso . prog='date;prog'" > to run unintended commands in addition to their alternative isoprog. On the other hand, allowing: prog='isoprog --parameter' may be intentional, and I just broke that. Maybe I need to revert this?

> This is not a CVE (since nbdkit isn't running with any more privileges > than the user running those commands themselves), but shows the > frailty of relying on the shell to parse subsidiary commands rather > than exec()ing them directly. This patch also doesn't resolve the > fact that we are also passing params= through shell parsing (if we > don't like that, we should consider changing the interface to make the > user write param='-V' param='My Disk Image' and use shell_quote() over > each param, rather than the current params='-V "My Disk Image"'), but > does try to enhance the docs to point it out with more clarity. > > Signed-off-by: Eric Blake <eblake(a)redhat.com&gt; > --- > > I'm pushing this now, but we may want to reconsider the iso plugin > exposing params= that is intentionally designed for another round of > shell parsing, as a followup patch. Ideally, we want to avoid ever > passing user-supplied data through another shell invocation without > first re-quoting it. > -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org

_______________________________________________ Libguestfs mailing list Libguestfs(a)redhat.com https://www.redhat.com/mailman/listinfo/libguestfs