[MESOS-5388] MesosContainerizerLaunch flags execute arbitrary commands via shell. - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0.0
Fix Version/s: 1.0.1
Component/s: containerization
Labels:

Epic Link:
Unified Container
Sprint:
Mesosphere Sprint 39, Mesosphere Sprint 40
Story Points:
5

Description

For example, the docker volume isolator's containerPath is appended (without sanitation) to a command that's executed in this manner. As such, it's possible to inject arbitrary shell commands to be executed by mesos.

https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206

Perhaps instead of strings these commands could/should be sent as string arrays that could be passed as argv arguments w/o shell interpretation?

Attachments

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Gilbert Song

Reporter:: James DeFelice

Shepherd:: Jie Yu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 16/May/16 18:28

Updated:: 02/Aug/16 23:51

Resolved:: 02/Aug/16 23:51

Agile

Completed Sprints:: Mesosphere Sprint 39 ended 22/Jul/16
Mesosphere Sprint 40 ended 09/Aug/16

View on Board

MesosContainerizerLaunch flags execute arbitrary commands via shell.

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment