[prev in list] [next in list] [prev in thread] [next in thread] 

List:       os-sim-commits
Subject:    [Os-sim-commits] agent/ossim_agent MonitorCommand.py,1.1,1.2
From:       David Gil <dvgil () users ! sourceforge ! net>
Date:       2008-10-22 8:05:48
Message-ID: E1KsYiy-0004dU-OK () 23jxhf1 ! ch3 ! sourceforge ! com
[Download RAW message or body]

Update of /cvsroot/os-sim/agent/ossim_agent
In directory 23jxhf1.ch3.sourceforge.com:/tmp/cvs-serv17628

Modified Files:
	MonitorCommand.py 
Log Message:
We need to protect MonitorCommand against command injection
In the meanwhile, this is a simple patch replacing ` characters by
spaces, which, I know, doesn't fix the problem at all


Index: MonitorCommand.py
===================================================================
RCS file: /cvsroot/os-sim/agent/ossim_agent/MonitorCommand.py,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- MonitorCommand.py	3 Oct 2006 13:50:30 -0000	1.1
+++ MonitorCommand.py	22 Oct 2008 08:05:46 -0000	1.2
@@ -16,6 +16,10 @@
     def get_data(self, rule_name):
         query = self.queries[rule_name]
         logger.debug("Sending query to monitor: %s" % (query))
+
+	# TODO,FIXME: protect against command injection
+	query = query.replace('`', '')
+
         data = commands.getoutput(query)
         logger.debug("Received data from monitor: %s" % (data))
         return data


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Os-sim-commits mailing list
Os-sim-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-commits
[prev in list] [next in list] [prev in thread] [next in thread]