Uploaded image for project: 'Maven Shared Components'
  1. Maven Shared Components
  2. MSHARED-297

Commandline class shell injection vulnerabilities

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

      The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with '"'"' used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules.

      An appropriate fix has been built and applied against PLXUTILS; that patch is submitted here in the hope that it will be useful, though it is not expected to apply to the maven-shared-utils codebase without modification.

      See PLXUTILS-161 for history/discussion.

      Attachments

        Issue Links

        relates to

        Bug - A problem which impairs or prevents the functions of the product. MSHARED-431 # (Hash-Sign) should trigger quoting in BourneShell.java

        • Major - Major loss of function.
        • Closed
        links to

        Web Link GitHub Pull Request #40

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            slachiewicz Sylwester Lachiewicz
            charles@dyfis.net Charles Duffy
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment