← Back to team overview

rapache-devel team mailing list archive

[Bug 238165] Re: Properly escape shell commands

 

** Visibility changed to: Public

-- 
Properly escape shell commands
https://bugs.launchpad.net/bugs/238165
You received this bug notification because you are a member of Rapache
Developers, which is subscribed to Remote Apache Management tool .

Status in rapache: New

Bug description:
Bash commands are not properly escaped. This could (and will) lead to problems with filesystem paths containing spaces as well as big security holes that could lead in bash code injection (and mind - we run a lot of commands with root privileges).

How to get better:
 - review code and properly escape bash commands [1]
 - blacklist certain characters we don't plan to support in filesystem paths (double quotes - " - for example)
 - centralize bash commands execution into a specific class/pypackage to improve security mantainability
 - review code and make sure there are no unescaped user input sources anymore.

[1] From #python
(07:00:05 PM) rgl: is there some function that escapes shell arguments?   (nb: I don't want to use the exec* functions, I want to run remote commands)
(07:00:27 PM) tacone: rgl: I am interested to know that too .-)
(07:00:46 PM) Yhg1s: rgl: commands.mkarg is the closest.
(07:00:57 PM) Yhg1s: but it really depends on this remote shell.
(07:01:06 PM) Yhg1s: since that defines how something should be escaped.
(07:01:16 PM) rgl: tacone, I already made one, but it only works for bash/sh.  it only translates ' => '\''