Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-7041

Default CommandInfo usage to not use the shell.

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • security
    • None

    Description

      One of the usage patterns of CommandInfo is to carry commands from isolators to launchers. The default (and easiest) way to use this is launchInfo.add_pre_exec_commands()->set_value(...), which invokes the shell. To reduce the risk of shell injection attacks all isolators should default to not using the shell, which implies that this should be the easiest/default usage pattern.

      Attachments

        Issue Links

        is related to

        Bug - A problem which impairs or prevents the functions of the product. MESOS-6862 Replace os::system usages to reduce the risk of command injection.

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            jamespeach James Peach
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Slack

                Issue deployment