[prev in list] [next in list] [prev in thread] [next in thread]
List: os-sim-commits
Subject: [Os-sim-commits] agent/ossim_agent MonitorCommand.py,1.1,1.2
From: David Gil <dvgil () users ! sourceforge ! net>
Date: 2008-10-22 8:05:48
Message-ID: E1KsYiy-0004dU-OK () 23jxhf1 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Update of /cvsroot/os-sim/agent/ossim_agent
In directory 23jxhf1.ch3.sourceforge.com:/tmp/cvs-serv17628
Modified Files:
MonitorCommand.py
Log Message:
We need to protect MonitorCommand against command injection
In the meanwhile, this is a simple patch replacing ` characters by
spaces, which, I know, doesn't fix the problem at all
Index: MonitorCommand.py
===================================================================
RCS file: /cvsroot/os-sim/agent/ossim_agent/MonitorCommand.py,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- MonitorCommand.py 3 Oct 2006 13:50:30 -0000 1.1
+++ MonitorCommand.py 22 Oct 2008 08:05:46 -0000 1.2
@@ -16,6 +16,10 @@
def get_data(self, rule_name):
query = self.queries[rule_name]
logger.debug("Sending query to monitor: %s" % (query))
+
+ # TODO,FIXME: protect against command injection
+ query = query.replace('`', '')
+
data = commands.getoutput(query)
logger.debug("Received data from monitor: %s" % (data))
return data
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Os-sim-commits mailing list
Os-sim-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-commits
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic