Project

General

Profile

Bug #4026

native_ms/dnscmd providers should use shell escaping when running commands

Added by Dominic Cleal about 8 years ago. Updated 3 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

The two Windows providers (native_ms/dnscmd) should escape incoming data which is currently passed straight to the cmd.exe shell.

Assigning Sam as he's already looked a bit at this.

More discussion: https://github.com/theforeman/smart-proxy/pull/127/files#r8814677


Related issues

Related to Smart Proxy - Feature #3991: dnscmd provider for smart-proxy (Windows)Closed2014-01-10
Related to Foreman - Tracker #5409: DNS Proxy ImprovementsNew

Associated revisions

Revision 9522669b (diff)
Added by Anna Vitova 3 months ago

fixes #4026 - fixes #4026 secure Windows command execution

History

#1 Updated by Dominic Cleal about 8 years ago

  • Related to Feature #3991: dnscmd provider for smart-proxy (Windows) added

#2 Updated by Dominic Cleal about 8 years ago

  • Description updated (diff)

#3 Updated by Stephen Benjamin over 7 years ago

#4 Updated by Anonymous over 4 years ago

  • Assignee changed from Sam Kottler to Dmitri Dolguikh

Dmitry, I guess this can be closed?

#5 Updated by Dmitri Dolguikh over 4 years ago

I don't think this can be closed -- dns_dnscmd provider doesn't escape data passed to it.

#6 Updated by The Foreman Bot 6 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/796 added

#7 Updated by Anna Vítová 5 months ago

  • Assignee changed from Dmitri Dolguikh to Anna Vítová

#8 Updated by The Foreman Bot 3 months ago

  • Fixed in Releases 3.1.0 added

#9 Updated by Anonymous 3 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF